Further restrict access to Binder services from vendor
This tightens neverallows for looking up Binder servicemanager services from vendor components. In particular, vendor components, other than apps, are not permitted to look up any Binder services. Vendor apps are permitted to look up only stable public API services which is exactly what non-vendor apps are permitted to use as well. If we permitted vendor apps to use non-stable/hidden Binder services, they might break when core components get updated without updating vendor components. Test: mmm system/sepolicy Bug: 35870313 Change-Id: I949d62b3528cadb4bfe6f5985c25d1f497df0d5a
This commit is contained in:
Alex Klyubin
parent
d46d3a6c53
commit
5c09d123c4
1 changed files with 23 additions and 7 deletions
|
|
@ -442,19 +442,36 @@ full_treble_only(`
|
|||
-appdomain
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
} binder_device:chr_file rw_file_perms;
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-appdomain # restrictions for vendor apps are declared lower down
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
} service_manager_type:service_manager find;
|
||||
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
|
||||
# services which can change any time framework/core is updated, breakage is likely.
|
||||
neverallow {
|
||||
appdomain
|
||||
-coredomain
|
||||
} {
|
||||
service_manager_type
|
||||
-app_api_service
|
||||
-ephemeral_app_api_service
|
||||
}:service_manager find;
|
||||
neverallow {
|
||||
domain
|
||||
-coredomain
|
||||
-appdomain
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
} servicemanager:binder { call transfer };
|
||||
')
|
||||
|
||||
##
|
||||
# On full TREBLE devices core android components and vendor components may
|
||||
# not directly access each other data types. All communication must occur
|
||||
# over HW binder. Open file descriptors may be passed and read/write/stat
|
||||
# operations my be performed on those FDs. Disallow all other operations.
|
||||
#
|
||||
##
|
||||
# On full TREBLE devices core android components and vendor components may
|
||||
# not directly access each other's data types. All communication must occur
|
||||
# over HW binder. Open file descriptors may be passed and read/write/stat
|
||||
# operations my be performed on those FDs. Disallow all other operations.
|
||||
full_treble_only(`
|
||||
# do not allow vendor component access to coredomains data types
|
||||
neverallow {
|
||||
domain
|
||||
|
|
@ -479,7 +496,6 @@ full_treble_only(`
|
|||
-appdomain
|
||||
-coredata_in_vendor_violators
|
||||
} system_data_file:dir ~search;
|
||||
|
||||
')
|
||||
|
||||
# On full TREBLE devices, socket communications between core components and vendor components are
|
||||
|
|
|
|||
Loading…
Reference in a new issue