Revert "Re-open /dev/binder access to all." am: 6b2eaade82

am: db28fe2381

Change-Id: Icf5ceb3f52e309852347b462a008ee24f14aa017
This commit is contained in:
Steven Moreland 2019-08-20 16:06:43 -07:00 committed by android-build-merger
commit 64f3d8d104
3 changed files with 39 additions and 27 deletions

View file

@ -250,11 +250,6 @@ neverallow all_untrusted_apps {
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
neverallow all_untrusted_apps {
vendor_service
vintf_service
}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;

View file

@ -98,12 +98,6 @@ attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which should only be available to vendor
attribute vendor_service;
# services which should be available system<->vendor
attribute vintf_service;
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.

View file

@ -88,9 +88,15 @@ allow domain ashmem_server:fd use;
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
appdomain
binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-hwservicemanager
} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@ -624,21 +630,30 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
# system services cant add vendor services
neverallow {
coredomain
} vendor_service:service_manager add;
# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
# domain apps need this because Android framework offers many of its services to apps as Binder
# services.
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
# vendor services cant add system services
neverallow {
domain
-coredomain
} {
service_manager_type
-vendor_service
-vintf_service
}:service_manager add;
# libcutils can probe for /dev/binder permissions with access(). Ignore
# generated denials. See b/129073672 for details.
dontaudit domain binder_device:chr_file audit_access;
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
')
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@ -664,6 +679,14 @@ full_treble_only(`
-vr_manager_service
}:service_manager find;
')
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`