Merge "Reland "Re-open /dev/binder access to all."" am: aa6793febd

am: 88fedc2159

Change-Id: I3a3ed29426dcc09d41d93ba51bff02e8695fa751
This commit is contained in:
Steven Moreland 2019-08-22 16:26:01 -07:00 committed by android-build-merger
commit f1fbf2734e
3 changed files with 28 additions and 39 deletions

View file

@ -250,6 +250,11 @@ neverallow all_untrusted_apps {
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
neverallow all_untrusted_apps {
vendor_service
vintf_service
}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;

View file

@ -98,6 +98,12 @@ attribute ephemeral_app_api_service;
# services which export only system_api
attribute system_api_service;
# services which should only be available to vendor
attribute vendor_service;
# services which should be available system<->vendor
attribute vintf_service;
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.

View file

@ -88,15 +88,9 @@ allow domain ashmem_server:fd use;
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
# /dev/binder can be accessed by non-vendor domains and by apps
allow {
coredomain
appdomain
binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-hwservicemanager
} binder_device:chr_file rw_file_perms;
# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@ -630,30 +624,22 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
# domain apps need this because Android framework offers many of its services to apps as Binder
# services.
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
')
# system services cant add vendor services
neverallow {
coredomain
} vendor_service:service_manager add;
# libcutils can probe for /dev/binder permissions with access(). Ignore
# generated denials. See b/129073672 for details.
dontaudit domain binder_device:chr_file audit_access;
# vendor services cant add system services
neverallow {
domain
-coredomain
-binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
} {
service_manager_type
-vendor_service
-vintf_service
}:service_manager add;
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
')
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
@ -679,14 +665,6 @@ full_treble_only(`
-vr_manager_service
}:service_manager find;
')
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`