Initial sepolicy for vndservicemanager.

vndservicemanager is the context manager for binder services that are solely registered and accessed from vendor processes. Bug: 36052864 Test: vendorservicemanager runs Merged-In: Ifbf536932678d0ff13d019635fe6347e185ef387 Change-Id: I430f1762eb83825f6cd4be939a69d46a8ddc80ff
2017-03-21 16:01:52 -07:00 · 2017-03-21 16:01:52 -07:00 · e7d8f4c3c8
commit e7d8f4c3c8
parent 63211f8da2
7 changed files with 42 additions and 5 deletions
--- a/private/file_contexts
+++ b/private/file_contexts
@ -155,6 +155,7 @@
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/vcs[0-9a-z]*	u:object_r:vcs_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
+/dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
--- a/public/device.te
+++ b/public/device.te
@ -7,6 +7,7 @@ type audio_timer_device, dev_type;
 type audio_seq_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
 type block_device, dev_type;
 type camera_device, dev_type;
 type dm_device, dev_type;
--- a/public/domain.te
+++ b/public/domain.te
@ -66,8 +66,8 @@ allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file rw_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@ -410,11 +410,15 @@ neverallow {
  -ueventd
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };

-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
 # The service managers are only allowed to access their own device node
 neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;

 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
--- a/public/te_macros
+++ b/public/te_macros
@ -293,6 +293,20 @@ get_prop($1, vold_prop)
 # all domains in domain.te.
 ')

+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
 #####################################
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
--- a/public/vndservicemanager.te
+++ b/public/vndservicemanager.te
@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -28,4 +28,5 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service       u:object_r:hal_vibrator_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service             u:object_r:hal_vr_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service           u:object_r:hal_wifi_default_exec:s0
-/(vendor|system/vendor)/bin/hw/wpa_supplicant           u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)