From b75b047f44bfd7bb030466fd2c00da782db27f08 Mon Sep 17 00:00:00 2001 From: Steven Moreland Date: Tue, 20 Aug 2019 22:42:58 +0000 Subject: [PATCH] Reland "Re-open /dev/binder access to all." This reverts commit 6b2eaade8201e49a746173ff13f9bd89f024eb81. Reason for revert: reland original CL Separate runtime infrastructure now makes sure that only Stable AIDL interfaces are used system<->vendor. Bug: 136027762 Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6 Test: boot device, use /dev/binder from vendor --- private/app_neverallows.te | 5 ++++ public/attributes | 6 ++++ public/domain.te | 56 ++++++++++++-------------------------- 3 files changed, 28 insertions(+), 39 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index d496e90f0..a2223b254 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -250,6 +250,11 @@ neverallow all_untrusted_apps { -untrusted_app_visible_hwservice_violators }:hwservice_manager find; +neverallow all_untrusted_apps { + vendor_service + vintf_service +}:service_manager find; + # SELinux is not an API for untrusted apps to use neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; diff --git a/public/attributes b/public/attributes index 5cada23c3..c5e0cba8f 100644 --- a/public/attributes +++ b/public/attributes @@ -98,6 +98,12 @@ attribute ephemeral_app_api_service; # services which export only system_api attribute system_api_service; +# services which should only be available to vendor +attribute vendor_service; + +# services which should be available system<->vendor +attribute vintf_service; + # All types used for services managed by servicemanager. # On change, update CHECK_SC_ASSERT_ATTRS # definition in tools/checkfc.c. diff --git a/public/domain.te b/public/domain.te index e12c22472..377150685 100644 --- a/public/domain.te +++ b/public/domain.te @@ -88,15 +88,9 @@ allow domain ashmem_server:fd use; allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find; allow { domain -coredomain -appdomain } ashmem_server: binder call; -# /dev/binder can be accessed by non-vendor domains and by apps -allow { - coredomain - appdomain - binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone - -hwservicemanager -} binder_device:chr_file rw_file_perms; -# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder -not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') +# /dev/binder can be accessed by ... everyone! :) +allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; + allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; @@ -630,30 +624,22 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; -# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core -# domain apps need this because Android framework offers many of its services to apps as Binder -# services. -full_treble_only(` - neverallow { - domain - -coredomain - -appdomain - -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone - } binder_device:chr_file rw_file_perms; -') +# system services cant add vendor services +neverallow { + coredomain +} vendor_service:service_manager add; -# libcutils can probe for /dev/binder permissions with access(). Ignore -# generated denials. See b/129073672 for details. -dontaudit domain binder_device:chr_file audit_access; +# vendor services cant add system services +neverallow { + domain + -coredomain + -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone +} { + service_manager_type + -vendor_service + -vintf_service +}:service_manager add; -full_treble_only(` - neverallow { - domain - -coredomain - -appdomain # restrictions for vendor apps are declared lower down - -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone - } service_manager_type:service_manager find; -') full_treble_only(` # Vendor apps are permited to use only stable public services. If they were to use arbitrary # services which can change any time framework/core is updated, breakage is likely. @@ -679,14 +665,6 @@ full_treble_only(` -vr_manager_service }:service_manager find; ') -full_treble_only(` - neverallow { - domain - -coredomain - -appdomain - -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone - } servicemanager:binder { call transfer }; -') # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. full_treble_only(`