same_process_hal_file: access to individual coredomains

Remove blanket coredomain access to same_process_hal_file in favor of granular access. This change takes into account audits from go/sedenials (our internal dogfood program) Bug: 37211678 Test: m selinux_policy Change-Id: I5634fb65c72d13007e40c131a600585a05b8c4b5
2018-10-18 12:39:35 -07:00 · 2018-10-18 12:39:35 -07:00 · 90cf5a7fb3
commit 90cf5a7fb3
parent 564eb9d6d6
9 changed files with 14 additions and 22 deletions
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@ -47,12 +47,6 @@ allow isolated_app webview_zygote_tmpfs:file read;
 # suppress denials to /data/local/tmp
 dontaudit isolated_app shell_data_file:dir search;

-# TODO(b/37211678): give isolated_app explicit access to same_process_hal_file
-# if needed.
-userdebug_or_eng(`
-  auditallow isolated_app same_process_hal_file:file *;
-')
-
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.
 allow isolated_app traced:fd use;
--- a/private/system_server.te
+++ b/private/system_server.te
@ -234,6 +234,7 @@ allow system_server hal_graphics_composer:fd use;

 # Use RenderScript always-passthrough HAL
 allow system_server hal_renderscript_hwservice:hwservice_manager find;
+allow system_server same_process_hal_file:file { execute read open getattr map };

 # Offer HwBinder services
 add_hwservice(system_server, fwk_scheduler_hwservice)
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@ -70,6 +70,8 @@ allow webview_zygote zygote:process sigchld;
 # Allow apps access to /vendor/overlay
 r_dir_file(webview_zygote, vendor_overlay_file)

+allow webview_zygote same_process_hal_file:file { execute read open getattr map };
+
 #####
 ##### Neverallow
 #####
--- a/private/zygote.te
+++ b/private/zygote.te
@ -114,6 +114,8 @@ userdebug_or_eng(`
 allow zygote ion_device:chr_file r_file_perms;
 allow zygote tmpfs:dir r_dir_perms;

+allow zygote same_process_hal_file:file { execute read open getattr map };
+
 # Let the zygote access overlays so it can initialize the AssetManager.
 get_prop(zygote, overlay_prop)
 get_prop(zygote, exported_overlay_prop)
--- a/public/app.te
+++ b/public/app.te
@ -308,6 +308,7 @@ allow { appdomain -isolated_app } hal_camera:fd use;

 # RenderScript always-passthrough HAL
 allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+allow appdomain same_process_hal_file:file { execute read open getattr map };

 # TODO: switch to meminfo service
 allow appdomain proc_meminfo:file r_file_perms;
--- a/public/domain.te
+++ b/public/domain.te
@ -188,22 +188,10 @@ allow domain vendor_hal_file:dir r_dir_perms;

 # Everyone can read and execute all same process HALs
 allow domain same_process_hal_file:dir r_dir_perms;
-# TODO(b/37211678): whitelist domains that actually need same process HALs.
-allow domain same_process_hal_file:file { execute read open getattr map };
-# Touching same_process_hal_file indicates usage of SP-HALs or abuse of
-# same_process_hal_file label, which is what we are interested in.
-userdebug_or_eng(`
-  auditallow {
-    coredomain
-    -zygote
-    -hal_allocator_client
-    # Graphics mapper clients.
-    -hal_graphics_allocator_client
-    # Renderscript clients include { system_server appdomain -isolated_app }.
-    -appdomain
-    -system_server
-  } same_process_hal_file:file *;
-')
+allow {
+    domain
+    -coredomain # access is explicitly granted to individual coredomains
+} same_process_hal_file:file { execute read open getattr map };

 # Any process can load vndk-sp libraries, which are system libraries
 # used by same process HALs
--- a/public/hal_allocator.te
+++ b/public/hal_allocator.te
@ -3,3 +3,4 @@ binder_call(hal_allocator_client, hal_allocator_server)

 hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
 allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
+allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@ -3,6 +3,7 @@ binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)

 hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
 allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };

 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@ -76,6 +76,8 @@ userdebug_or_eng(`
  r_dir_file(perfprofd, vendor_file)
  # Vendor apps.
  r_dir_file(perfprofd, vendor_app_file)
+  # SP HAL files.
+  r_dir_file(perfprofd, same_process_hal_file)

  # simpleperf will set security.perf_harden to enable access to perf_event_open()
  set_prop(perfprofd, shell_prop)