From fa57d4153871330265b5bd3f37c4b0e1f172eb06 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Fri, 21 Apr 2017 16:59:55 -0700
Subject: [PATCH] Tighten isolated_app -> *Binder policy

* isolated_app is no longer permitted to access /dev/hwbinder -- this
  was granted by mistake.
* There are now neverallows which enforce that isolated_app can't
  access HwBinder and VendorBinder.
* There are now neverallows which enforce that isolated_app can't add
  Binder and VendorBinder services to servicemanager and
  vndservicemanager.

Test: mmm system/sepolicy
Bug: 34454312
Change-Id: I8ba90a0dcb6a9fccd8f50c78cbd2409381376f7a
---
 private/isolated_app.te | 11 +++++++++++
 public/domain.te        |  2 +-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 418a3224e..ac9dc04ba 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -62,6 +62,17 @@ neverallow isolated_app app_data_file:file open;
 neverallow isolated_app anr_data_file:file ~{ open append };
 neverallow isolated_app anr_data_file:dir ~search;
 
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
 # b/17487348
 # Isolated apps can only access three services,
 # activity_service, display_service and webviewupdate_service.
diff --git a/public/domain.te b/public/domain.te
index 7976c1472..acd5341fd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -75,7 +75,7 @@ allow {
 } binder_device:chr_file rw_file_perms;
 # Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
 not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
-allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
-- 
GitLab