diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 1150ae3e0..2f4513191 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -250,11 +250,6 @@ neverallow all_untrusted_apps { -untrusted_app_visible_hwservice_violators }:hwservice_manager find; -neverallow all_untrusted_apps { - vendor_service - vintf_service -}:service_manager find; - # SELinux is not an API for untrusted apps to use neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; diff --git a/public/attributes b/public/attributes index ef876d4c5..72b3076bb 100644 --- a/public/attributes +++ b/public/attributes @@ -98,12 +98,6 @@ attribute ephemeral_app_api_service; # services which export only system_api attribute system_api_service; -# services which should only be available to vendor -attribute vendor_service; - -# services which should be available system<->vendor -attribute vintf_service; - # All types used for services managed by servicemanager. # On change, update CHECK_SC_ASSERT_ATTRS # definition in tools/checkfc.c. diff --git a/public/domain.te b/public/domain.te index 0a586766f..f0bf0e69b 100644 --- a/public/domain.te +++ b/public/domain.te @@ -88,9 +88,15 @@ allow domain ashmem_server:fd use; allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find; allow { domain -coredomain -appdomain } ashmem_server: binder call; -# /dev/binder can be accessed by ... everyone! :) -allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms; - +# /dev/binder can be accessed by non-vendor domains and by apps +allow { + coredomain + appdomain + binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + -hwservicemanager +} binder_device:chr_file rw_file_perms; +# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder +not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;') allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; @@ -624,21 +630,30 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms; neverallow vndservicemanager binder_device:chr_file no_rw_file_perms; neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms; -# system services cant add vendor services -neverallow { - coredomain -} vendor_service:service_manager add; +# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core +# domain apps need this because Android framework offers many of its services to apps as Binder +# services. +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } binder_device:chr_file rw_file_perms; +') -# vendor services cant add system services -neverallow { - domain - -coredomain -} { - service_manager_type - -vendor_service - -vintf_service -}:service_manager add; +# libcutils can probe for /dev/binder permissions with access(). Ignore +# generated denials. See b/129073672 for details. +dontaudit domain binder_device:chr_file audit_access; +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain # restrictions for vendor apps are declared lower down + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } service_manager_type:service_manager find; +') full_treble_only(` # Vendor apps are permited to use only stable public services. If they were to use arbitrary # services which can change any time framework/core is updated, breakage is likely. @@ -664,6 +679,14 @@ full_treble_only(` -vr_manager_service }:service_manager find; ') +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone + } servicemanager:binder { call transfer }; +') # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder. full_treble_only(`