From f5446eb1486816c00136b2b5f0a3cc4a01706000 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 23 Mar 2017 14:27:32 -0700
Subject: [PATCH] Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor
apps) are not permitted to use Binder. This commit thus:
* groups non-vendor domains using the new "coredomain" attribute,
* adds neverallow rules restricting Binder use to coredomain and
appdomain only, and
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"binder_in_vendor_violators" attribute. The attribute is needed
because the types corresponding to violators are not exposed to the
public policy where the neverallow rules are.
Test: mmm system/sepolicy
Test: Device boots, no new denials
Test: In Chrome, navigate to ip6.me, play a YouTube video
Test: YouTube: play a video
Test: Netflix: play a movie
Test: Google Camera: take a photo, take an HDR+ photo, record video with
sound, record slow motion video with sound. Confirm videos play
back fine and with sound.
Bug: 35870313
Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
---
Android.mk | 4 ++++
private/adbd.te | 1 +
private/atrace.te | 2 +-
private/audioserver.te | 2 ++
private/binder_in_vendor_violators.te | 1 +
private/blkid.te | 2 ++
private/blkid_untrusted.te | 2 ++
private/bluetooth.te | 1 +
private/bootanim.te | 4 ++--
private/bootstat.te | 4 ++--
private/bufferhubd.te | 2 ++
private/cameraserver.te | 4 ++--
private/charger.te | 1 +
private/clatd.te | 1 +
private/cppreopts.te | 4 ++--
private/crash_dump.te | 1 +
private/dex2oat.te | 1 +
private/dexoptanalyzer.te | 2 +-
private/dhcp.te | 4 ++--
private/dnsmasq.te | 1 +
private/drmserver.te | 4 ++--
private/dumpstate.te | 4 ++--
private/ephemeral_app.te | 2 ++
private/fingerprintd.te | 4 ++--
private/fsck.te | 4 ++--
private/fsck_untrusted.te | 1 +
private/gatekeeperd.te | 4 ++--
private/hal_allocator_default.te | 2 +-
private/healthd.te | 4 ++--
private/hwservicemanager.te | 4 ++--
private/idmap.te | 1 +
private/incident.te | 2 ++
private/incidentd.te | 2 ++
private/init.te | 4 ++--
private/inputflinger.te | 4 ++--
private/install_recovery.te | 4 ++--
private/installd.te | 4 ++--
private/isolated_app.te | 2 ++
private/kernel.te | 4 ++--
private/keystore.te | 4 ++--
private/lmkd.te | 4 ++--
private/logd.te | 4 ++--
private/logpersist.te | 2 ++
private/mdnsd.te | 1 +
private/mediacodec.te | 4 ++--
private/mediadrmserver.te | 4 ++--
private/mediaextractor.te | 4 ++--
private/mediametrics.te | 4 ++--
private/mediaserver.te | 4 ++--
private/modprobe.te | 1 +
private/mtp.te | 4 ++--
private/netd.te | 4 ++--
private/nfc.te | 1 +
private/otapreopt_chroot.te | 4 ++--
private/otapreopt_slot.te | 4 ++--
private/performanced.te | 2 ++
private/platform_app.te | 1 +
private/postinstall.te | 4 ++--
private/postinstall_dexopt.te | 4 ++--
private/ppp.te | 4 ++--
private/preopt2cachename.te | 1 +
private/priv_app.te | 1 +
private/profman.te | 1 +
private/racoon.te | 4 ++--
private/radio.te | 2 ++
private/recovery.te | 1 +
private/recovery_persist.te | 4 ++--
private/recovery_refresh.te | 4 ++--
private/runas.te | 4 ++--
private/sdcardd.te | 4 ++--
private/sensord.te | 2 ++
private/servicemanager.te | 4 ++--
private/sgdisk.te | 1 +
private/shared_relro.te | 2 ++
private/shell.te | 2 ++
private/slideshow.te | 1 +
private/storaged.te | 2 +-
private/surfaceflinger.te | 2 ++
private/system_app.te | 1 +
private/system_server.te | 1 +
private/tee.te | 4 ++--
private/tombstoned.te | 4 ++--
private/toolbox.te | 4 ++--
private/tzdatacheck.te | 4 ++--
private/ueventd.te | 4 ++--
private/uncrypt.te | 4 ++--
private/untrusted_app.te | 2 ++
private/untrusted_app_25.te | 2 ++
private/untrusted_v2_app.te | 3 +++
private/update_engine.te | 4 ++--
private/update_verifier.te | 4 ++--
private/vdc.te | 4 ++--
private/virtual_touchpad.te | 2 ++
private/vold.te | 4 ++--
private/watchdogd.te | 1 +
private/webview_zygote.te | 2 ++
private/wificond.te | 4 ++--
private/zygote.te | 1 +
public/attributes | 7 +++++++
public/domain.te | 23 ++++++++++++++++++++++-
public/te_macros | 12 ++++++++++++
vendor/hal_wifi_supplicant_default.te | 3 +++
vendor/vndservicemanager.te | 2 +-
103 files changed, 216 insertions(+), 104 deletions(-)
create mode 100644 private/binder_in_vendor_violators.te
create mode 100644 private/charger.te
create mode 100644 private/clatd.te
create mode 100644 private/crash_dump.te
create mode 100644 private/dex2oat.te
create mode 100644 private/dnsmasq.te
create mode 100644 private/fsck_untrusted.te
create mode 100644 private/idmap.te
create mode 100644 private/modprobe.te
create mode 100644 private/preopt2cachename.te
create mode 100644 private/profman.te
create mode 100644 private/recovery.te
create mode 100644 private/sgdisk.te
create mode 100644 private/slideshow.te
create mode 100644 private/watchdogd.te
diff --git a/Android.mk b/Android.mk
index e2883560f..976d61b5a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -158,6 +158,7 @@ $(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_M
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
@@ -188,6 +189,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY))
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
@@ -243,6 +245,7 @@ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
@@ -342,6 +345,7 @@ $(BOARD_SEPOLICY_VERS_DIR) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEP
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
+ -D target_full_treble=$(PRODUCT_FULL_TREBLE) \
-s $^ > $@
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
diff --git a/private/adbd.te b/private/adbd.te
index 1865b2a10..9b84603d0 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -1,5 +1,6 @@
### ADB daemon
+typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
domain_auto_trans(adbd, shell_exec, shell)
diff --git a/private/atrace.te b/private/atrace.te
index 9c4f34200..94d84834d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -3,7 +3,7 @@
type atrace_exec, exec_type, file_type;
userdebug_or_eng(`
- type atrace, domain, domain_deprecated;
+ type atrace, domain, coredomain, domain_deprecated;
init_daemon_domain(atrace)
diff --git a/private/audioserver.te b/private/audioserver.te
index 95a752169..a6253f244 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -1,5 +1,7 @@
# audioserver - audio services daemon
+typeattribute audioserver coredomain;
+
type audioserver_exec, exec_type, file_type;
init_daemon_domain(audioserver)
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 000000000..4a1218e1d
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/blkid.te b/private/blkid.te
index 9c4cfccc8..090912b82 100644
--- a/private/blkid.te
+++ b/private/blkid.te
@@ -1,5 +1,7 @@
# blkid called from vold
+typeattribute blkid coredomain;
+
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
index ae18e6860..125677157 100644
--- a/private/blkid_untrusted.te
+++ b/private/blkid_untrusted.te
@@ -1,5 +1,7 @@
# blkid for untrusted block devices
+typeattribute blkid_untrusted coredomain;
+
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 9c7182e6c..628f9714c 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,5 +1,6 @@
# bluetooth subsystem
+typeattribute bluetooth coredomain;
typeattribute bluetooth domain_deprecated;
app_domain(bluetooth)
diff --git a/private/bootanim.te b/private/bootanim.te
index 94fbc1f4f..8c9f6c76e 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootanim coredomain;
+
init_daemon_domain(bootanim)
diff --git a/private/bootstat.te b/private/bootstat.te
index caa82fd62..806144cf6 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute bootstat coredomain;
+
init_daemon_domain(bootstat)
diff --git a/private/bufferhubd.te b/private/bufferhubd.te
index 4fa77a59b..012eb2027 100644
--- a/private/bufferhubd.te
+++ b/private/bufferhubd.te
@@ -1 +1,3 @@
+typeattribute bufferhubd coredomain;
+
init_daemon_domain(bufferhubd)
diff --git a/private/cameraserver.te b/private/cameraserver.te
index b34d74608..c16c13260 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cameraserver coredomain;
+
init_daemon_domain(cameraserver)
diff --git a/private/charger.te b/private/charger.te
new file mode 100644
index 000000000..65109deff
--- /dev/null
+++ b/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/private/clatd.te b/private/clatd.te
new file mode 100644
index 000000000..5ba0fc5cd
--- /dev/null
+++ b/private/clatd.te
@@ -0,0 +1 @@
+typeattribute clatd coredomain;
diff --git a/private/cppreopts.te b/private/cppreopts.te
index 02c13b3a0..34f0d669b 100644
--- a/private/cppreopts.te
+++ b/private/cppreopts.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute cppreopts coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
diff --git a/private/crash_dump.te b/private/crash_dump.te
new file mode 100644
index 000000000..fb73f08a9
--- /dev/null
+++ b/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/private/dex2oat.te b/private/dex2oat.te
new file mode 100644
index 000000000..fd45484f4
--- /dev/null
+++ b/private/dex2oat.te
@@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 2239d2ae8..db81d0dad 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -1,5 +1,5 @@
# dexoptanalyzer
-type dexoptanalyzer, domain, mlstrustedsubject;
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
type dexoptanalyzer_exec, exec_type, file_type;
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
diff --git a/private/dhcp.te b/private/dhcp.te
index 67451896e..b2f8ac7c7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dhcp coredomain;
+
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/dnsmasq.te b/private/dnsmasq.te
new file mode 100644
index 000000000..96084b490
--- /dev/null
+++ b/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/private/drmserver.te b/private/drmserver.te
index cc96afdce..45663bbe1 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute drmserver coredomain;
+
init_daemon_domain(drmserver)
type_transition drmserver apk_data_file:sock_file drmserver_socket;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 62628dd25..cbdfbc6d5 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute dumpstate coredomain;
+
init_daemon_domain(dumpstate)
# Execute and transition to the vdc domain
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b0515ad9..92890273a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -11,6 +11,8 @@
###
### PackageManager flags an app as ephemeral at install time.
+typeattribute ephemeral_app coredomain;
+
net_domain(ephemeral_app)
app_domain(ephemeral_app)
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index a733cabd9..eb73ef8cc 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fingerprintd coredomain;
+
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index f3f4c52d2..3a36329f7 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute fsck coredomain;
+
init_daemon_domain(fsck)
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
new file mode 100644
index 000000000..9a57bf027
--- /dev/null
+++ b/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index d050c2edf..5e4d0a2e9 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute gatekeeperd coredomain;
+
init_daemon_domain(gatekeeperd)
diff --git a/private/hal_allocator_default.te b/private/hal_allocator_default.te
index ff407d5a6..49ef1781b 100644
--- a/private/hal_allocator_default.te
+++ b/private/hal_allocator_default.te
@@ -1,4 +1,4 @@
-type hal_allocator_default, domain;
+type hal_allocator_default, domain, coredomain;
hal_server_domain(hal_allocator_default, hal_allocator)
type hal_allocator_default_exec, exec_type, file_type;
diff --git a/private/healthd.te b/private/healthd.te
index fc13e28fd..0693a3a68 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute healthd coredomain;
+
init_daemon_domain(healthd)
# Allow callback to storaged batteryproperties listener
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e15d13db0..627b93f5f 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute hwservicemanager coredomain;
+
init_daemon_domain(hwservicemanager)
diff --git a/private/idmap.te b/private/idmap.te
new file mode 100644
index 000000000..73abf3552
--- /dev/null
+++ b/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/private/incident.te b/private/incident.te
index 084bd5dfd..b910ddef3 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -1,3 +1,5 @@
+typeattribute incident coredomain;
+
type incident_exec, exec_type, file_type;
# switch to incident domain for incident command
diff --git a/private/incidentd.te b/private/incidentd.te
index 49830f43e..efd23bdae 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,3 +1,5 @@
+typeattribute incidentd coredomain;
+
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
diff --git a/private/init.te b/private/init.te
index f491d00f3..fb4335a09 100644
--- a/private/init.te
+++ b/private/init.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute init coredomain;
+
tmpfs_domain(init)
# Transitions to seclabel processes in init.rc
diff --git a/private/inputflinger.te b/private/inputflinger.te
index dae01f867..9696b491b 100644
--- a/private/inputflinger.te
+++ b/private/inputflinger.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute inputflinger coredomain;
+
init_daemon_domain(inputflinger)
diff --git a/private/install_recovery.te b/private/install_recovery.te
index b9b402b56..b79d683a6 100644
--- a/private/install_recovery.te
+++ b/private/install_recovery.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute install_recovery coredomain;
+
init_daemon_domain(install_recovery)
diff --git a/private/installd.te b/private/installd.te
index e18d8410a..f74843dd1 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute installd coredomain;
+
init_daemon_domain(installd)
# Run dex2oat in its own sandbox.
diff --git a/private/isolated_app.te b/private/isolated_app.te
index f98b1d1cd..418a3224e 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -6,6 +6,8 @@
### and AID_ISOLATED_END (99999).
###
+typeattribute isolated_app coredomain;
+
app_domain(isolated_app)
# Access already open app data files received over Binder or local socket IPC.
diff --git a/private/kernel.te b/private/kernel.te
index 1c2223e57..a4e6ebe36 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute kernel coredomain;
+
domain_auto_trans(kernel, init_exec, init)
diff --git a/private/keystore.te b/private/keystore.te
index 70ad3b24d..6aa888429 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute keystore coredomain;
+
init_daemon_domain(keystore)
diff --git a/private/lmkd.te b/private/lmkd.te
index a5d0d7756..a07ce879c 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
init_daemon_domain(lmkd)
diff --git a/private/logd.te b/private/logd.te
index aea6654c8..4338e4005 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
diff --git a/private/logpersist.te b/private/logpersist.te
index dbace693c..70e3198b5 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -1,3 +1,5 @@
+typeattribute logpersist coredomain;
+
# android debug log storage in logpersist domains (eng and userdebug only)
userdebug_or_eng(`
diff --git a/private/mdnsd.te b/private/mdnsd.te
index 2fefc32dd..96259e298 100644
--- a/private/mdnsd.te
+++ b/private/mdnsd.te
@@ -1,5 +1,6 @@
# mdns daemon
+typeattribute mdnsd coredomain;
typeattribute mdnsd mlstrustedsubject;
type mdnsd_exec, exec_type, file_type;
diff --git a/private/mediacodec.te b/private/mediacodec.te
index 7f88433a1..ff290bc41 100644
--- a/private/mediacodec.te
+++ b/private/mediacodec.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
init_daemon_domain(mediacodec)
diff --git a/private/mediadrmserver.te b/private/mediadrmserver.te
index 5a8e7446c..def87599f 100644
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
init_daemon_domain(mediadrmserver)
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 8596c1440..c1a85219c 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
init_daemon_domain(mediaextractor)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 11f17d23d..f8b2fa5cd 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
init_daemon_domain(mediametrics)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 74b11b07b..4b510a54a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
init_daemon_domain(mediaserver)
diff --git a/private/modprobe.te b/private/modprobe.te
new file mode 100644
index 000000000..98586756f
--- /dev/null
+++ b/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/private/mtp.te b/private/mtp.te
index 69e1353b0..732e111ed 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index cc87dcbb4..f501f25e9 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
init_daemon_domain(netd)
# Allow netd to spawn dnsmasq in it's own domain
diff --git a/private/nfc.te b/private/nfc.te
index 4d1f2ce29..25ad702b5 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,4 +1,5 @@
# nfc subsystem
+typeattribute nfc coredomain;
app_domain(nfc)
net_domain(nfc)
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 8e54a790f..1f69931c8 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/private/otapreopt_slot.te b/private/otapreopt_slot.te
index 519c34274..98b93d406 100644
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(otapreopt_slot)
diff --git a/private/performanced.te b/private/performanced.te
index 9544f662c..792826e02 100644
--- a/private/performanced.te
+++ b/private/performanced.te
@@ -1 +1,3 @@
+typeattribute performanced coredomain;
+
init_daemon_domain(performanced)
diff --git a/private/platform_app.te b/private/platform_app.te
index 6b18d8fee..984bb7b4f 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -2,6 +2,7 @@
### Apps signed with the platform key.
###
+typeattribute platform_app coredomain;
typeattribute platform_app domain_deprecated;
app_domain(platform_app)
diff --git a/private/postinstall.te b/private/postinstall.te
index 47bf320f3..363e362dd 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 7596465aa..ff5fe8735 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/private/ppp.te b/private/ppp.te
index befc20e5e..968b221b6 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/preopt2cachename.te b/private/preopt2cachename.te
new file mode 100644
index 000000000..d10f76766
--- /dev/null
+++ b/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/private/priv_app.te b/private/priv_app.te
index 83a4b3f76..38ce673a1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -2,6 +2,7 @@
### A domain for further sandboxing privileged apps.
###
+typeattribute priv_app coredomain;
app_domain(priv_app)
# Access the network.
diff --git a/private/profman.te b/private/profman.te
new file mode 100644
index 000000000..f61d05efe
--- /dev/null
+++ b/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/private/racoon.te b/private/racoon.te
index 3eeb8151a..42ea7c9e4 100644
--- a/private/racoon.te
+++ b/private/racoon.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute racoon coredomain;
+
init_daemon_domain(racoon)
diff --git a/private/radio.te b/private/radio.te
index 95e7f0a47..b4f539048 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,3 +1,5 @@
+typeattribute radio coredomain;
+
app_domain(radio)
read_runtime_log_tags(radio)
diff --git a/private/recovery.te b/private/recovery.te
new file mode 100644
index 000000000..2a7fdc7e1
--- /dev/null
+++ b/private/recovery.te
@@ -0,0 +1 @@
+typeattribute recovery coredomain;
diff --git a/private/recovery_persist.te b/private/recovery_persist.te
index 3c37d2bc9..1fdd7583d 100644
--- a/private/recovery_persist.te
+++ b/private/recovery_persist.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_persist coredomain;
+
init_daemon_domain(recovery_persist)
# recovery_persist is not allowed to write anywhere other than recovery_data_file
diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index d1cfbfea0..327098dad 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute recovery_refresh coredomain;
+
init_daemon_domain(recovery_refresh)
# recovery_refresh is not allowed to write anywhere
diff --git a/private/runas.te b/private/runas.te
index d791501b3..ef31aac34 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,4 +1,4 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute runas coredomain;
+
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index 55915fed7..126d64349 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute sdcardd coredomain;
+
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/sensord.te b/private/sensord.te
index ef03b095c..bdeded638 100644
--- a/private/sensord.te
+++ b/private/sensord.te
@@ -1 +1,3 @@
+typeattribute sensord coredomain;
+
init_daemon_domain(sensord)
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 6f382a7c3..9f675a2be 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute servicemanager coredomain;
+
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
diff --git a/private/sgdisk.te b/private/sgdisk.te
new file mode 100644
index 000000000..a17342e01
--- /dev/null
+++ b/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/private/shared_relro.te b/private/shared_relro.te
index b1ba0ff4a..02f720682 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,3 +1,5 @@
+typeattribute shared_relro coredomain;
+
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
diff --git a/private/shell.te b/private/shell.te
index 1e779645a..aab0a15c3 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,3 +1,5 @@
+typeattribute shell coredomain;
+
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file r_file_perms;
diff --git a/private/slideshow.te b/private/slideshow.te
new file mode 100644
index 000000000..7dfa994ea
--- /dev/null
+++ b/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/private/storaged.te b/private/storaged.te
index 4796675ac..3dbabf6f2 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -1,5 +1,5 @@
# storaged daemon
-type storaged, domain, mlstrustedsubject;
+type storaged, domain, coredomain, mlstrustedsubject;
type storaged_exec, exec_type, file_type;
init_daemon_domain(storaged)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3808c838f..f143580dd 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -1,5 +1,7 @@
# surfaceflinger - display compositor service
+typeattribute surfaceflinger coredomain;
+
type surfaceflinger_exec, exec_type, file_type;
init_daemon_domain(surfaceflinger)
diff --git a/private/system_app.te b/private/system_app.te
index 7539da226..12ba6094f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,6 +4,7 @@
### server.
###
+typeattribute system_app coredomain;
typeattribute system_app domain_deprecated;
app_domain(system_app)
diff --git a/private/system_server.te b/private/system_server.te
index d1f9bc322..da1c62550 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -3,6 +3,7 @@
# Most of the framework services run in this process.
#
+typeattribute system_server coredomain;
typeattribute system_server domain_deprecated;
typeattribute system_server mlstrustedsubject;
diff --git a/private/tee.te b/private/tee.te
index 17b276fdd..99f501e9f 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tee coredomain;
+
init_daemon_domain(tee)
diff --git a/private/tombstoned.te b/private/tombstoned.te
index 73fdb1bdf..305f9d006 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tombstoned coredomain;
+
init_daemon_domain(tombstoned)
diff --git a/private/toolbox.te b/private/toolbox.te
index fd43d5ee6..a2b958dba 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute toolbox coredomain;
+
init_daemon_domain(toolbox)
diff --git a/private/tzdatacheck.te b/private/tzdatacheck.te
index ee67bb2e5..502735cad 100644
--- a/private/tzdatacheck.te
+++ b/private/tzdatacheck.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute tzdatacheck coredomain;
+
init_daemon_domain(tzdatacheck)
diff --git a/private/ueventd.te b/private/ueventd.te
index 5034db7f9..1bd67735e 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ueventd coredomain;
+
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index e2b919c74..e4e9224d9 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute uncrypt coredomain;
+
init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 2f4a1a4de..68c1a41bd 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -17,6 +17,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app coredomain;
+
app_domain(untrusted_app)
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index e576d27dc..3fa79efce 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -19,6 +19,8 @@
### seapp_contexts.
###
+typeattribute untrusted_app_25 coredomain;
+
app_domain(untrusted_app_25)
untrusted_app_domain(untrusted_app_25)
net_domain(untrusted_app_25)
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index e51170915..ef628414d 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -1,6 +1,9 @@
###
### Untrusted v2 sandbox apps.
###
+
+typeattribute untrusted_v2_app coredomain;
+
app_domain(untrusted_v2_app)
net_domain(untrusted_v2_app)
bluetooth_domain(untrusted_v2_app)
diff --git a/private/update_engine.te b/private/update_engine.te
index 01199ebb2..5af7db681 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_engine coredomain;
+
init_daemon_domain(update_engine);
diff --git a/private/update_verifier.te b/private/update_verifier.te
index c5f110b6c..1b934d980 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute update_verifier coredomain;
+
init_daemon_domain(update_verifier)
diff --git a/private/vdc.te b/private/vdc.te
index 877e91331..bc7409eee 100644
--- a/private/vdc.te
+++ b/private/vdc.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vdc coredomain;
+
init_daemon_domain(vdc)
diff --git a/private/virtual_touchpad.te b/private/virtual_touchpad.te
index ced556e26..e735172fe 100644
--- a/private/virtual_touchpad.te
+++ b/private/virtual_touchpad.te
@@ -1 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
init_daemon_domain(virtual_touchpad)
diff --git a/private/vold.te b/private/vold.te
index b2495f688..a6d1001d1 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,5 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute vold coredomain;
+
init_daemon_domain(vold)
# Switch to more restrictive domains when executing common tools
diff --git a/private/watchdogd.te b/private/watchdogd.te
new file mode 100644
index 000000000..36dd30fd7
--- /dev/null
+++ b/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index aad66bf98..b2a19519f 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -1,6 +1,8 @@
# webview_zygote is an auxiliary zygote process that is used to spawn
# isolated_app processes for rendering untrusted web content.
+typeattribute webview_zygote coredomain;
+
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
diff --git a/private/wificond.te b/private/wificond.te
index 2e89975d0..5476e3385 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,3 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute wificond coredomain;
+
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index f0ac0b2ab..e9ec6724f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,4 +1,5 @@
# zygote
+typeattribute zygote coredomain;
typeattribute zygote domain_deprecated;
typeattribute zygote mlstrustedsubject;
diff --git a/public/attributes b/public/attributes
index b9360a6c6..00035abba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -115,6 +115,13 @@ attribute binderservicedomain;
# recovery for A/B devices.
attribute update_engine_common;
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 5f7da0bf3..8a42336fb 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,10 @@ allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow { coredomain appdomain -hwservicemanager } binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
@@ -420,6 +423,24 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/te_macros b/public/te_macros
index aeb291613..52f2e1b61 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -394,6 +394,18 @@ define(`non_system_app_set', `{ appdomain -system_app }')
#
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1, ))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 3bde9ecdc..5e49605ff 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -7,3 +7,6 @@ init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+
+# TODO(b/34603782): Remove this once Wi-Fi Supplicant HAL stops using Binder
+typeattribute hal_wifi_supplicant_default binder_in_vendor_violators;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index 9357042f5..dff18ce56 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
allow vndservicemanager self:binder set_context_mgr;
# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init }:binder transfer;
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
--
GitLab