Vendor domains must not use Binder

On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95

Vendor domains must not use Binder
On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
f5446eb1 · Alex Klyubin · 93f99cb1 · f5446eb1 · f5446eb1 · f5446eb1
Commit f5446eb1 authored 7 years ago by Alex Klyubin
--- a/private/lmkd.te
+++ b/private/lmkd.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute lmkd coredomain;
+
 init_daemon_domain(lmkd)
--- a/private/logd.te
+++ b/private/logd.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute logd coredomain;
+
 init_daemon_domain(logd)

 # logd is not allowed to write anywhere other than /data/misc/logd, and then

--- a/private/logpersist.te
+++ b/private/logpersist.te
+typeattribute logpersist coredomain;
+
 # android debug log storage in logpersist domains (eng and userdebug only)
 userdebug_or_eng(`


--- a/private/mdnsd.te
+++ b/private/mdnsd.te
 # mdns daemon

+typeattribute mdnsd coredomain;
 typeattribute mdnsd mlstrustedsubject;

 type mdnsd_exec, exec_type, file_type;

--- a/private/mediacodec.te
+++ b/private/mediacodec.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediacodec coredomain;
+
 init_daemon_domain(mediacodec)
--- a/private/mediadrmserver.te
+++ b/private/mediadrmserver.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediadrmserver coredomain;
+
 init_daemon_domain(mediadrmserver)
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaextractor coredomain;
+
 init_daemon_domain(mediaextractor)
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediametrics coredomain;
+
 init_daemon_domain(mediametrics)
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mediaserver coredomain;
+
 init_daemon_domain(mediaserver)
--- a/private/modprobe.te
+++ b/private/modprobe.te
+typeattribute modprobe coredomain;
--- a/private/mtp.te
+++ b/private/mtp.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute mtp coredomain;
+
 init_daemon_domain(mtp)
--- a/private/netd.te
+++ b/private/netd.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute netd coredomain;
+
 init_daemon_domain(netd)

 # Allow netd to spawn dnsmasq in it's own domain

--- a/private/nfc.te
+++ b/private/nfc.te
 # nfc subsystem
+typeattribute nfc coredomain;
 app_domain(nfc)
 net_domain(nfc)


--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_chroot coredomain;
+
 # Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
 domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
--- a/private/otapreopt_slot.te
+++ b/private/otapreopt_slot.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute otapreopt_slot coredomain;
+
 # Technically not a daemon but we do want the transition from init domain to
 # cppreopts to occur.
 init_daemon_domain(otapreopt_slot)
--- a/private/performanced.te
+++ b/private/performanced.te
+typeattribute performanced coredomain;
+
 init_daemon_domain(performanced)
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -2,6 +2,7 @@
 ### Apps signed with the platform key.
 ###

+typeattribute platform_app coredomain;
 typeattribute platform_app domain_deprecated;

 app_domain(platform_app)

--- a/private/postinstall.te
+++ b/private/postinstall.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall coredomain;
+
 domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute postinstall_dexopt coredomain;
+
 # Run dex2oat/patchoat in its own sandbox.
 # We have to manually transition, as we don't have an entrypoint.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
--- a/private/ppp.te
+++ b/private/ppp.te
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
+typeattribute ppp coredomain;
+
 domain_auto_trans(mtp, ppp_exec, ppp)