diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 9c762a1e8..847d92c80 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -140,20 +140,63 @@ neverallow all_untrusted_apps *:hwservice_manager ~find; # incidence rate of security issues than system/core components and have # access to lower layes of the stack (all the way down to hardware) thus # increasing opportunities for bypassing the Android security model. +# +# Safe services include: +# - same process services: because they by definition run in the process +# of the client and thus have the same access as the client domain in which +# the process runs +# - coredomain_hwservice: are considered safe because they do not pose risks +# associated with reason #2 above. +# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been +# designed for use by any domain. +# - hal_graphics_allocator_hwservice: because these operations are also offered +# by surfaceflinger Binder service, which apps are permitted to access +# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec +# Binder service which apps were permitted to access. neverallow all_untrusted_apps { hwservice_manager_type - # Same process services are safe because they by definition run in the process - # of the client and thus have the same access as the client domain in which - # the process runs -same_process_hwservice - -coredomain_hwservice # neverallows for coredomain HwBinder services are below - -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain - # These operations are also offered by surfaceflinger Binder service which - # apps are permitted to access + -coredomain_hwservice + -hal_configstore_ISurfaceFlingerConfigs -hal_graphics_allocator_hwservice - # HwBinder version of mediacodec Binder service which apps were permitted to - # access -hal_omx_hwservice + -untrusted_app_visible_hwservice +}:hwservice_manager find; +neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302 +# Make sure that the following services are never accessible by untrusted_apps +neverallow all_untrusted_apps { + default_android_hwservice + hal_audio_hwservice + hal_bluetooth_hwservice + hal_bootctl_hwservice + hal_camera_hwservice + hal_contexthub_hwservice + hal_drm_hwservice + hal_dumpstate_hwservice + hal_fingerprint_hwservice + hal_gatekeeper_hwservice + hal_gnss_hwservice + hal_graphics_composer_hwservice + hal_health_hwservice + hal_ir_hwservice + hal_keymaster_hwservice + hal_light_hwservice + hal_memtrack_hwservice + hal_nfc_hwservice + hal_oemlock_hwservice + hal_power_hwservice + hal_sensors_hwservice + hal_telephony_hwservice + hal_thermal_hwservice + hal_tv_cec_hwservice + hal_tv_input_hwservice + hal_usb_hwservice + hal_vibrator_hwservice + hal_vr_hwservice + hal_weaver_hwservice + hal_wifi_hwservice + hal_wifi_supplicant_hwservice + hidl_base_hwservice }:hwservice_manager find; # HwBinder services offered by core components (as opposed to vendor components) # are considered somewhat safer due to point #2 above. diff --git a/public/attributes b/public/attributes index 90740d456..cde55da19 100644 --- a/public/attributes +++ b/public/attributes @@ -144,6 +144,15 @@ attribute socket_between_core_and_vendor_violators; # TODO(b/36463595) attribute vendor_executes_system_violators; +# hwservices that are accessible from untrusted applications +# WARNING: Use of this attribute should be avoided unless +# absolutely necessary. It is a temporary allowance to aid the +# transition to treble and will be removed in a future platform +# version, requiring all hwservices that are labeled with this +# attribute to be submitted to AOSP in order to maintain their +# app-visibility. +attribute untrusted_app_visible_hwservice; + # PDX services attribute pdx_endpoint_dir_type; attribute pdx_endpoint_socket_type;