From 641c45e258fd95d23e72cd5d3ff46945468943c1 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Mon, 19 Aug 2019 09:42:23 -0700
Subject: [PATCH 1/2] mediacodec: remove non-Treble allows

Since mediacodec system services have been entirely deleted.

Bug: 80317992
Test: TH
Change-Id: I20aa48ef57474df000279a487f6b077790d273c1
---
 vendor/mediacodec.te | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index 29e1a9015..73467c9f4 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -3,15 +3,6 @@ type mediacodec_exec, exec_type, vendor_file_type, file_type;
 
 init_daemon_domain(mediacodec)
 
-not_full_treble(`
-    # on legacy devices, continue to allow /dev/binder traffic
-    binder_use(mediacodec)
-    binder_service(mediacodec)
-    add_service(mediacodec, mediacodec_service)
-    allow mediacodec mediametrics_service:service_manager find;
-    allow mediacodec surfaceflinger_service:service_manager find;
-')
-
 # can route /dev/binder traffic to /dev/vndbinder
 vndbinder_use(mediacodec)
 

From 94ff361501cc277cac9045bc719b5774e6a9d7d3 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Fri, 2 Aug 2019 14:50:07 -0700
Subject: [PATCH 2/2] Re-open /dev/binder access to all.

Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.

Bug: 136027762
Test: boot device, use /dev/binder from vendor
Change-Id: Icdf207c5d5a4ef769c0ca6582dc58306f65be67e
---
 private/app_neverallows.te |  5 ++++
 public/attributes          |  6 +++++
 public/domain.te           | 55 +++++++++++---------------------------
 3 files changed, 27 insertions(+), 39 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index d496e90f0..a2223b254 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -250,6 +250,11 @@ neverallow all_untrusted_apps {
   -untrusted_app_visible_hwservice_violators
 }:hwservice_manager find;
 
+neverallow all_untrusted_apps {
+  vendor_service
+  vintf_service
+}:service_manager find;
+
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 
diff --git a/public/attributes b/public/attributes
index 5cada23c3..c5e0cba8f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -98,6 +98,12 @@ attribute ephemeral_app_api_service;
 # services which export only system_api
 attribute system_api_service;
 
+# services which should only be available to vendor
+attribute vendor_service;
+
+# services which should be available system<->vendor
+attribute vintf_service;
+
 # All types used for services managed by servicemanager.
 # On change, update CHECK_SC_ASSERT_ATTRS
 # definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index e12c22472..cacde6f3c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,15 +88,9 @@ allow domain ashmem_server:fd use;
 allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
 allow { domain -coredomain -appdomain } ashmem_server: binder call;
 
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
-  coredomain
-  appdomain
-  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -630,30 +624,21 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } binder_device:chr_file rw_file_perms;
-')
+# system services cant add vendor services
+neverallow {
+  coredomain
+} vendor_service:service_manager add;
 
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
+# vendor services cant add system services
+neverallow {
+  domain
+  -coredomain
+} {
+  service_manager_type
+  -vendor_service
+  -vintf_service
+}:service_manager add;
 
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain # restrictions for vendor apps are declared lower down
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } service_manager_type:service_manager find;
-')
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
@@ -679,14 +664,6 @@ full_treble_only(`
     -vr_manager_service
   }:service_manager find;
 ')
-full_treble_only(`
-  neverallow {
-    domain
-    -coredomain
-    -appdomain
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-  } servicemanager:binder { call transfer };
-')
 
 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
 full_treble_only(`