From e160d14ed1440e9dabb909b09e147103ddaf3a02 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Mon, 5 Dec 2016 11:19:11 -0700
Subject: [PATCH] Rules for new installd Binder interface.

Most of this CL mirrors what we've already done for the "netd" Binder
interface, while sorting a few lists alphabetically.

Migrating installd to Binder will allow us to get rid of one of
the few lingering text-based command protocols, improving system
maintainability and security.

Test: builds, boots
Bug: 13758960, 30944031
Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7
---
 private/service_contexts |  1 +
 public/installd.te       | 18 ++++++++++++++++++
 public/service.te        |  5 +++--
 public/shell.te          |  2 +-
 public/system_app.te     |  2 +-
 public/system_server.te  | 14 ++++++++------
 6 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/private/service_contexts b/private/service_contexts
index 9269c2cad..43d05521b 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -56,6 +56,7 @@ hdmi_control                              u:object_r:hdmi_control_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
 input                                     u:object_r:input_service:s0
+installd                                  u:object_r:installd_service:s0
 iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
diff --git a/public/installd.te b/public/installd.te
index ef5b83aa8..d29f1d9ac 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -118,3 +118,21 @@ allow installd devpts:chr_file rw_file_perms;
 
 # execute toybox for app relocation
 allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+allow installd installd_service:service_manager add;
+allow installd dumpstate:fifo_file  { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+###
+### Neverallow rules
+###
+
+# only system_server and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/service.te b/public/service.te
index 6b874359d..180f498f2 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,14 +1,15 @@
 type audioserver_service,       service_manager_type;
+type batteryproperties_service, app_api_service, service_manager_type;
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
-type gatekeeper_service,        app_api_service, service_manager_type;
 type fingerprintd_service,      service_manager_type;
-type batteryproperties_service, app_api_service, service_manager_type;
+type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
+type installd_service,          service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediaanalytics_service,    service_manager_type;
diff --git a/public/shell.te b/public/shell.te
index 591dabc98..9bfcda7a1 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -90,7 +90,7 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service -installd_service}:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to look through /proc/ for ps, top, netstat
diff --git a/public/system_app.te b/public/system_app.te
index 7896ac556..6be67313d 100644
--- a/public/system_app.te
+++ b/public/system_app.te
@@ -50,7 +50,7 @@ allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state
diff --git a/public/system_server.te b/public/system_server.te
index 4f7f86902..86d3d83c0 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -155,11 +155,12 @@ binder_call(system_server, hal_power)
 binder_call(system_server, hal_thermal)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain ephemeral_app })
+binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
 binder_call(system_server, netd)
 binder_call(system_server, wificond)
 binder_service(system_server)
@@ -455,13 +456,14 @@ allow system_server sysfs_zram:dir search;
 allow system_server sysfs_zram:file r_file_perms;
 
 allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaanalytics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
-- 
GitLab