From ceed720415bc9c4a431af5cfc86aef814c3a91cc Mon Sep 17 00:00:00 2001
From: Dan Cashman <dcashman@google.com>
Date: Wed, 21 Jun 2017 16:35:49 -0700
Subject: [PATCH] Revert "Remove neverallow preventing hwservice access for
 apps."

This reverts commit 3e307a4de570a64437e3071ae398ed291ba82098.

Test: Builds - neverallow change only.
Bug: 62806062
Change-Id: Id3aa1b425cf48fc8586890c9850a74594584922d
---
 private/app_neverallows.te | 61 ++++++--------------------------------
 public/attributes          |  9 ------
 2 files changed, 9 insertions(+), 61 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ecca70a7e..b050e52ab 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -140,63 +140,20 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-#   of the client and thus have the same access as the client domain in which
-#   the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-#   associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
-#   designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-#   by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-#   Binder service which apps were permitted to access.
 neverallow all_untrusted_apps {
   hwservice_manager_type
+  # Same process services are safe because they by definition run in the process
+  # of the client and thus have the same access as the client domain in which
+  # the process runs
   -same_process_hwservice
-  -coredomain_hwservice
-  -hal_configstore_ISurfaceFlingerConfigs
+  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+  # These operations are also offered by surfaceflinger Binder service which
+  # apps are permitted to access
   -hal_graphics_allocator_hwservice
+  # HwBinder version of mediacodec Binder service which apps were permitted to
+  # access
   -hal_omx_hwservice
-  -untrusted_app_visible_hwservice
-}:hwservice_manager find;
-neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
-# Make sure that the following services are never accessible by untrusted_apps
-neverallow all_untrusted_apps {
-  default_android_hwservice
-  hal_audio_hwservice
-  hal_bluetooth_hwservice
-  hal_bootctl_hwservice
-  hal_camera_hwservice
-  hal_contexthub_hwservice
-  hal_drm_hwservice
-  hal_dumpstate_hwservice
-  hal_fingerprint_hwservice
-  hal_gatekeeper_hwservice
-  hal_gnss_hwservice
-  hal_graphics_composer_hwservice
-  hal_health_hwservice
-  hal_ir_hwservice
-  hal_keymaster_hwservice
-  hal_light_hwservice
-  hal_memtrack_hwservice
-  hal_nfc_hwservice
-  hal_oemlock_hwservice
-  hal_power_hwservice
-  hal_sensors_hwservice
-  hal_telephony_hwservice
-  hal_thermal_hwservice
-  hal_tv_cec_hwservice
-  hal_tv_input_hwservice
-  hal_usb_hwservice
-  hal_vibrator_hwservice
-  hal_vr_hwservice
-  hal_weaver_hwservice
-  hal_wifi_hwservice
-  hal_wifi_supplicant_hwservice
-  hidl_base_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/public/attributes b/public/attributes
index 93046772e..f41c54d59 100644
--- a/public/attributes
+++ b/public/attributes
@@ -145,15 +145,6 @@ attribute socket_between_core_and_vendor_violators;
 # TODO(b/36463595)
 attribute vendor_executes_system_violators;
 
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary.  It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice;
-
 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;
-- 
GitLab