Skip to content
Snippets Groups Projects
Commit f5446eb1 authored by Alex Klyubin's avatar Alex Klyubin
Browse files

Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
  appdomain only, and
* temporarily exempts the domains which are currently violating this
  rule from this restriction. These domains are grouped using the new
  "binder_in_vendor_violators" attribute. The attribute is needed
  because the types corresponding to violators are not exposed to the
  public policy where the neverallow rules are.

Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
      sound, record slow motion video with sound. Confirm videos play
      back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
parent 93f99cb1
No related branches found
No related tags found
No related merge requests found
Showing with 32 additions and 12 deletions
......@@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
......@@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
......@@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
......@@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
-D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
......
### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
domain_auto_trans(adbd, shell_exec, shell)
......
......@@ -3,7 +3,7 @@
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
type atrace, domain, domain_deprecated;
type atrace, domain, coredomain, domain_deprecated;
init_daemon_domain(atrace)
......
# audioserver - audio services daemon
typeattribute audioserver coredomain;
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
......
allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
# blkid called from vold
typeattribute blkid coredomain;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
......
# blkid for untrusted block devices
typeattribute blkid_untrusted coredomain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
......
# bluetooth subsystem
typeattribute bluetooth coredomain;
typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
......
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
typeattribute bootanim coredomain;
init_daemon_domain(bootanim)
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)
typeattribute bufferhubd coredomain;
init_daemon_domain(bufferhubd)
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
typeattribute cameraserver coredomain;
init_daemon_domain(cameraserver)
typeattribute charger coredomain;
typeattribute clatd coredomain;
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
typeattribute cppreopts coredomain;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
......
typeattribute crash_dump coredomain;
typeattribute dex2oat coredomain;
# dexoptanalyzer
type dexoptanalyzer, domain, mlstrustedsubject;
type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
......
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
typeattribute dhcp coredomain;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
typeattribute dnsmasq coredomain;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment