Restrict access to ro.serialno and ro.boot.serialno

This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
2016-12-20 15:31:37 -08:00 · 2016-12-20 15:31:37 -08:00 · 20151072a7
commit 20151072a7
parent e91740a588
8 changed files with 30 additions and 0 deletions
--- a/private/property_contexts
+++ b/private/property_contexts
@ -59,6 +59,8 @@ persist.security.       u:object_r:system_prop:s0
 persist.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boot.vendor.overlay.  u:object_r:overlay_prop:s0
 ro.boottime.             u:object_r:boottime_prop:s0
+ro.serialno             u:object_r:serialno_prop:s0
+ro.boot.serialno        u:object_r:serialno_prop:s0

 # Boolean property set by system server upon boot indicating
 # if device owner is provisioned.
--- a/public/adbd.te
+++ b/public/adbd.te
@ -55,6 +55,9 @@ set_prop(adbd, ffs_prop)
 # Access device logging gating property
 get_prop(adbd, device_logging_prop)

+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;

--- a/public/domain.te
+++ b/public/domain.te
@ -374,6 +374,18 @@ neverallow * default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;
 neverallow { domain -init } mmc_prop:property_service set;

+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+  domain
+  -adbd
+  -dumpstate
+  -init
+  -mediadrmserver
+  -recovery
+  -system_server
+} serialno_prop:file r_file_perms;
+
 neverallow {
  domain
  -init
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -187,6 +187,9 @@ set_prop(dumpstate, dumpstate_prop)
 # dumpstate_options_prop is used to pass extra command-line args.
 set_prop(dumpstate, dumpstate_options_prop)

+# Read device's serial number from system properties
+get_prop(dumpstate, serialno_prop)
+
 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@ -55,6 +55,9 @@ allow mediadrmserver surfaceflinger_service:service_manager find;
 allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

+# Permit reading device's serial number from system properties
+get_prop(mediadrmserver, serialno_prop)
+
 ###
 ### neverallow rules
 ###
--- a/public/property.te
+++ b/public/property.te
@ -36,6 +36,7 @@ type powerctl_prop, property_type, core_property_type;
 type radio_prop, property_type, core_property_type;
 type restorecon_prop, property_type, core_property_type;
 type safemode_prop, property_type;
+type serialno_prop, property_type;
 type shell_prop, property_type, core_property_type;
 type system_prop, property_type, core_property_type;
 type system_radio_prop, property_type, core_property_type;
--- a/public/recovery.te
+++ b/public/recovery.te
@ -92,6 +92,9 @@ recovery_only(`
  # Start/stop adbd via ctl.start adbd
  set_prop(recovery, ctl_default_prop)

+  # Read device's serial number from system properties
+  get_prop(recovery, serialno_prop)
+
  # Use setfscreatecon() to label files for OTA updates.
  allow recovery self:process setfscreate;

--- a/public/system_server.te
+++ b/public/system_server.te
@ -388,6 +388,9 @@ set_prop(system_server, cppreopt_prop)
 # Collect metrics on boot time created by init
 get_prop(system_server, boottime_prop)

+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
 # Create a socket for receiving info from wpa.
 allow system_server wpa_socket:dir rw_dir_perms;
 allow system_server system_wpa_socket:sock_file create_file_perms;