Assert apps can access only approved HwBinder services

App domains which host arbitrary code must not have access to
arbitrary HwBinder services. Such access unnecessarily increases the
attack surface. The reason is twofold:
1. HwBinder servers do not perform client authentication because HIDL
   currently does not expose caller UID information and, even if it
   did, many HwBinder services either operate at a layer below that of
   apps (e.g., HALs) or must not rely on app identity for
   authorization. Thus, to be safe, the default assumption is that
   a HwBinder service treats all its clients as equally authorized to
   perform operations offered by the service.
2. HAL servers (a subset of HwBinder services) contain code with
   higher incidence rate of security issues than system/core
   components and have access to lower layes of the stack (all the way
   down to hardware) thus increasing opportunities for bypassing the
   Android security model.

HwBinder services offered by core components (as opposed to vendor
components) are considered safer because of point #2 above.

Always same-process aka always-passthrough HwBinder services are
considered safe for access by these apps. This is because these HALs
by definition do not offer any additional access beyond what its
client already as, because these services run in the process of the
client.

This commit thus introduces these two categories of HwBinder services
in neverallow rules.

Test: mmm system/sepolicy -- this does not change on-device policy
Bug: 34454312
Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d

private/app_neverallows.te

@@ -107,3 +107,55 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 # Locking of files on /system could lead to denial of service attacks
 # against privileged system components
 neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+#    currently does not expose caller UID information and, even if it did, many
+#    HwBinder services either operate at a level below that of apps (e.g., HALs)
+#    or must not rely on app identity for authorization. Thus, to be safe, the
+#    default assumption is that every HwBinder service treats all its clients as
+#    equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+#    incidence rate of security issues than system/core components and have
+#    access to lower layes of the stack (all the way down to hardware) thus
+#    increasing opportunities for bypassing the Android security model.
+neverallow all_untrusted_apps {
+  hwservice_manager_type
+  # Same process services are safe because they by definition run in the process
+  # of the client and thus have the same access as the client domain in which
+  # the process runs
+  -same_process_hwservice
+  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+  # These operations are also offered by surfaceflinger Binder service which
+  # apps are permitted to access
+  -hal_graphics_allocator_hwservice
+  # HwBinder version of mediacodec Binder service which apps were permitted to
+  # access
+  -hal_omx_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+  coredomain_hwservice
+  -same_process_hwservice
+  -hidl_allocator_hwservice # Designed for use by any domain
+  -hidl_manager_hwservice # Designed for use by any domain
+  -hidl_memory_hwservice # Designed for use by any domain
+  -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+  neverallow all_untrusted_apps {
+    halserverdomain
+    -coredomain
+    -hal_configstore_server
+    -hal_graphics_allocator_server
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  }:binder { call transfer };
+')

public/attributes

@@ -94,6 +94,14 @@ attribute service_manager_type;
 # All types used for services managed by hwservicemanager
 attribute hwservice_manager_type;
 
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
 # All types used for services managed by vndservicemanager
 attribute vndservice_manager_type;
 

public/domain.te

@@ -1007,3 +1007,12 @@ neverallow {
 
 # Enforce AT_SECURE for executing crash_dump.
 neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;

public/hwservice.te

@@ -1,6 +1,6 @@
 type default_android_hwservice, hwservice_manager_type;
-type fwk_scheduler_hwservice, hwservice_manager_type;
-type fwk_sensor_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_audio_hwservice, hwservice_manager_type;
 type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
@@ -14,7 +14,7 @@ type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
 type hal_graphics_allocator_hwservice, hwservice_manager_type;
 type hal_graphics_composer_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_health_hwservice, hwservice_manager_type;
 type hal_ir_hwservice, hwservice_manager_type;
 type hal_keymaster_hwservice, hwservice_manager_type;
@@ -23,7 +23,7 @@ type hal_memtrack_hwservice, hwservice_manager_type;
 type hal_nfc_hwservice, hwservice_manager_type;
 type hal_omx_hwservice, hwservice_manager_type;
 type hal_power_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
 type hal_thermal_hwservice, hwservice_manager_type;
@@ -34,9 +34,9 @@ type hal_vibrator_hwservice, hwservice_manager_type;
 type hal_vr_hwservice, hwservice_manager_type;
 type hal_wifi_hwservice, hwservice_manager_type;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type;
-type hidl_memory_hwservice, hwservice_manager_type;
-type hidl_token_hwservice, hwservice_manager_type;
-type system_wifi_keystore_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;