Merge changes Icdf207c5,I20aa48ef am: 30a06d278f am: 169bfcfe88 am: 99f2860521

am: 4a474dc430

Change-Id: I358be00c77b2d7b7596151d43f98483018ba987f
This commit is contained in:
Steven Moreland 2019-08-20 14:13:04 -07:00 committed by android-build-merger
commit bc0374bdc4
4 changed files with 27 additions and 48 deletions

View file

@ -250,6 +250,11 @@ neverallow all_untrusted_apps {
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
neverallow all_untrusted_apps {
vendor_service
vintf_service
}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;

View file

@ -98,6 +98,12 @@ attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which should only be available to vendor
attribute vendor_service;
# services which should be available system<->vendor
attribute vintf_service;
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.

View file

@ -88,15 +88,9 @@ allow domain ashmem_server:fd use;
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
appdomain
binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-hwservicemanager
} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@ -630,30 +624,21 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
# domain apps need this because Android framework offers many of its services to apps as Binder
# services.
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
# system services cant add vendor services
neverallow {
coredomain
} vendor_service:service_manager add;
# libcutils can probe for /dev/binder permissions with access(). Ignore
# generated denials. See b/129073672 for details.
dontaudit domain binder_device:chr_file audit_access;
# vendor services cant add system services
neverallow {
domain
-coredomain
} {
service_manager_type
-vendor_service
-vintf_service
}:service_manager add;
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
')
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@ -679,14 +664,6 @@ full_treble_only(`
-vr_manager_service
}:service_manager find;
')
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`

View file

@ -3,15 +3,6 @@ type mediacodec_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mediacodec)
not_full_treble(`
# on legacy devices, continue to allow /dev/binder traffic
binder_use(mediacodec)
binder_service(mediacodec)
add_service(mediacodec, mediacodec_service)
allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
')
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(mediacodec)