public · eda4b88d3a54642a9faa6e2dc8217324471f798a · CodeLinaro / public-release-test / platform / system / sepolicy

Assert apps can access only approved HwBinder services

Alex Klyubin authored 7 years ago

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

2a7f4fb0

Name	Last commit	Last update
..
adbd.te
asan_extract.te
attributes
audioserver.te
blkid.te
blkid_untrusted.te
bluetooth.te
bootanim.te
bootstat.te
bufferhubd.te
cameraserver.te
charger.te
clatd.te
cppreopts.te
crash_dump.te
device.te
dex2oat.te
dhcp.te
dnsmasq.te
domain.te
domain_deprecated.te
drmserver.te
dumpstate.te
ephemeral_app.te
file.te
fingerprintd.te
fsck.te
fsck_untrusted.te
gatekeeperd.te
global_macros
hal_allocator.te
hal_audio.te
hal_bluetooth.te
hal_bootctl.te
hal_camera.te
hal_configstore.te
hal_contexthub.te
hal_drm.te
hal_dumpstate.te
hal_fingerprint.te
hal_gatekeeper.te
hal_gnss.te
hal_graphics_allocator.te
hal_graphics_composer.te
hal_health.te
hal_ir.te
hal_keymaster.te
hal_light.te
hal_memtrack.te
hal_neverallows.te
hal_nfc.te
hal_power.te
hal_sensors.te
hal_telephony.te
hal_thermal.te
hal_tv_cec.te
hal_tv_input.te
hal_usb.te
hal_vibrator.te
hal_vr.te
hal_wifi.te
hal_wifi_supplicant.te
healthd.te
hwservice.te
hwservicemanager.te
idmap.te
incident.te
incidentd.te
init.te
inputflinger.te
install_recovery.te
installd.te
ioctl_defines
ioctl_macros
isolated_app.te
kernel.te
keystore.te
lmkd.te
logd.te
logpersist.te
mdnsd.te
mediacodec.te
mediadrmserver.te
mediaextractor.te
mediametrics.te
mediaserver.te
modprobe.te
mtp.te
net.te
netd.te
netutils_wrapper.te
neverallow_macros
nfc.te
otapreopt_chroot.te
otapreopt_slot.te
performanced.te
perfprofd.te
platform_app.te
postinstall.te
postinstall_dexopt.te