Merge changes Icdf207c5,I20aa48ef

am: 30a06d278f

Change-Id: Ia505b1539cfd64bb93c2f5fe0dbd0603df5e9f5f

private/app_neverallows.te

@@ -250,6 +250,11 @@ neverallow all_untrusted_apps {
   -untrusted_app_visible_hwservice_violators
 }:hwservice_manager find;
 
+neverallow all_untrusted_apps {
+  vendor_service
+  vintf_service
+}:service_manager find;
+
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 

public/attributes

@@ -98,6 +98,12 @@ attribute ephemeral_app_api_service;
 # services which export only system_api
 attribute system_api_service;
 
+# services which should only be available to vendor
+attribute vendor_service;
+
+# services which should be available system<->vendor
+attribute vintf_service;
+
 # All types used for services managed by servicemanager.
 # On change, update CHECK_SC_ASSERT_ATTRS
 # definition in tools/checkfc.c.

public/domain.te

@@ -88,15 +88,9 @@ allow domain ashmem_server:fd use;
 allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
 allow { domain -coredomain -appdomain } ashmem_server: binder call;
 
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
-  coredomain
-  appdomain
-  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -630,30 +624,21 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } binder_device:chr_file rw_file_perms;
-')
+# system services cant add vendor services
+neverallow {
+  coredomain
+} vendor_service:service_manager add;
 
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
+# vendor services cant add system services
+neverallow {
+  domain
+  -coredomain
+} {
+  service_manager_type
+  -vendor_service
+  -vintf_service
+}:service_manager add;
 
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain # restrictions for vendor apps are declared lower down
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } service_manager_type:service_manager find;
-')
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
@@ -679,14 +664,6 @@ full_treble_only(`
     -vr_manager_service
   }:service_manager find;
 ')
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } servicemanager:binder { call transfer };
-')
 
 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
 full_treble_only(`

vendor/mediacodec.te

@@ -3,15 +3,6 @@ type mediacodec_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(mediacodec)
 
-not_full_treble(`
-    # on legacy devices, continue to allow /dev/binder traffic
-    binder_use(mediacodec)
-    binder_service(mediacodec)
-    add_service(mediacodec, mediacodec_service)
-    allow mediacodec mediametrics_service:service_manager find;
-    allow mediacodec surfaceflinger_service:service_manager find;
-')
-
 # can route /dev/binder traffic to /dev/vndbinder
 vndbinder_use(mediacodec)