Prevent vendor_init from using binder or sockets

Bug: 72809699 Test: build Change-Id: Ifb66ad13557af7d2dc6d3ef823e326a5fba51b24
2018-02-09 11:31:56 -08:00 · 2018-02-09 11:31:56 -08:00 · a099830e3d
commit a099830e3d
parent d388f370c6
4 changed files with 6 additions and 1 deletions
--- a/public/domain.te
+++ b/public/domain.te
@ -389,6 +389,7 @@ neverallow * init:process ptrace;
 # Init can't do anything with binder calls. If this neverallow rule is being
 # triggered, it's probably due to a service with no SELinux domain.
 neverallow * init:binder *;
+neverallow * vendor_init:binder *;

 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@ -12,6 +12,7 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager {
  domain
  -init
+  -vendor_init
  -hwservicemanager
  -vndservicemanager
 }:binder transfer;
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -4,6 +4,9 @@ type vendor_init, domain, mlstrustedsubject;
 # Communication to the main init process
 allow vendor_init init:unix_stream_socket { read write };

+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
 # Logging to kmsg
 allow vendor_init kmsg_device:chr_file { open write };

--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@ -6,7 +6,7 @@ init_daemon_domain(vndservicemanager);
 allow vndservicemanager self:binder set_context_mgr;

 # transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;

 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;