Merge "Allow binder services to r/w su:tcp_socket" am: a66a5df13d

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1729830 Change-Id: If3c55331bc2faaf65871b6e28752d8ae8949129d
2021-06-08 22:30:46 +00:00 · 2021-06-08 22:30:46 +00:00 · 34f017a2d0
commit 34f017a2d0
parent 2291ad9dcd a66a5df13d
10 changed files with 37 additions and 9 deletions
--- a/private/audioserver.te
+++ b/private/audioserver.te
@ -95,7 +95,8 @@ neverallow audioserver { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;

 # Allow using wake locks
 wakelock_use(audioserver)
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@ -61,4 +61,5 @@ neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@ -53,7 +53,8 @@ neverallow cameraserver { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;

 # Allow shell commands from ADB for CTS testing/dumping
 allow cameraserver adbd:fd use;
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@ -25,7 +25,21 @@ neverallow {
  -hal_wifi_hostapd_server
  -hal_wifi_supplicant_server
  -hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+  halserverdomain
+  -hal_automotive_socket_exemption
+  -hal_can_controller_server
+  -hal_tetheroffload_server
+  -hal_wifi_server
+  -hal_wifi_hostapd_server
+  -hal_wifi_supplicant_server
+  -hal_telephony_server
+} {
+  domain
+  userdebug_or_eng(`-su')
+}:tcp_socket *;

 ###
 # HALs are defined as an attribute and so a given domain could hypothetically
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@ -46,4 +46,5 @@ neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
--- a/public/iorapd.te
+++ b/public/iorapd.te
@ -94,4 +94,5 @@ neverallow iorapd {
 }:binder call;

 neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@ -59,7 +59,8 @@ neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;

 # mediaextractor should not be opening /data files directly. Any files
 # it touches (with a few exceptions) need to be passed to it via a file
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@ -42,4 +42,5 @@ neverallow mediametrics { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
--- a/public/te_macros
+++ b/public/te_macros
@ -670,6 +670,12 @@ define(`use_drmservice', `
 define(`add_service', `
  allow $1 $2:service_manager { add find };
  neverallow { domain -$1 } $2:service_manager add;
+
+  # On debug builds with root, allow binder services to use binder over TCP.
+  # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+  userdebug_or_eng(`
+    allow $1 su:tcp_socket { accept getopt read write };
+  ')
 ')

 ###########################################
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@ -34,5 +34,6 @@ neverallow mediacodec { file_type fs_type }:file execute_no_trans;
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;