From e160d14ed1440e9dabb909b09e147103ddaf3a02 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Mon, 5 Dec 2016 11:19:11 -0700 Subject: [PATCH] Rules for new installd Binder interface. Most of this CL mirrors what we've already done for the "netd" Binder interface, while sorting a few lists alphabetically. Migrating installd to Binder will allow us to get rid of one of the few lingering text-based command protocols, improving system maintainability and security. Test: builds, boots Bug: 13758960, 30944031 Change-Id: I59b89f916fd12e22f9813ace6673be38314c97b7 --- private/service_contexts | 1 + public/installd.te | 18 ++++++++++++++++++ public/service.te | 5 +++-- public/shell.te | 2 +- public/system_app.te | 2 +- public/system_server.te | 14 ++++++++------ 6 files changed, 32 insertions(+), 10 deletions(-) diff --git a/private/service_contexts b/private/service_contexts index 9269c2cad..43d05521b 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -56,6 +56,7 @@ hdmi_control u:object_r:hdmi_control_service:s0 inputflinger u:object_r:inputflinger_service:s0 input_method u:object_r:input_method_service:s0 input u:object_r:input_service:s0 +installd u:object_r:installd_service:s0 iphonesubinfo_msim u:object_r:radio_service:s0 iphonesubinfo2 u:object_r:radio_service:s0 iphonesubinfo u:object_r:radio_service:s0 diff --git a/public/installd.te b/public/installd.te index ef5b83aa8..d29f1d9ac 100644 --- a/public/installd.te +++ b/public/installd.te @@ -118,3 +118,21 @@ allow installd devpts:chr_file rw_file_perms; # execute toybox for app relocation allow installd toolbox_exec:file rx_file_perms; + +# Allow installd to publish a binder service and make binder calls. +binder_use(installd) +allow installd installd_service:service_manager add; +allow installd dumpstate:fifo_file { getattr write }; + +# Allow installd to call into the system server so it can check permissions. +binder_call(installd, system_server) +allow installd permission_service:service_manager find; + +### +### Neverallow rules +### + +# only system_server and dumpstate may interact with installd over binder +neverallow { domain -system_server -dumpstate } installd_service:service_manager find; +neverallow { domain -system_server -dumpstate } installd:binder call; +neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call; diff --git a/public/service.te b/public/service.te index 6b874359d..180f498f2 100644 --- a/public/service.te +++ b/public/service.te @@ -1,14 +1,15 @@ type audioserver_service, service_manager_type; +type batteryproperties_service, app_api_service, service_manager_type; type bluetooth_service, service_manager_type; type cameraserver_service, service_manager_type; type default_android_service, service_manager_type; type drmserver_service, service_manager_type; type dumpstate_service, service_manager_type; -type gatekeeper_service, app_api_service, service_manager_type; type fingerprintd_service, service_manager_type; -type batteryproperties_service, app_api_service, service_manager_type; +type gatekeeper_service, app_api_service, service_manager_type; type gpu_service, service_manager_type; type inputflinger_service, service_manager_type; +type installd_service, service_manager_type; type keystore_service, service_manager_type; type mediaserver_service, service_manager_type; type mediaanalytics_service, service_manager_type; diff --git a/public/shell.te b/public/shell.te index 591dabc98..9bfcda7a1 100644 --- a/public/shell.te +++ b/public/shell.te @@ -90,7 +90,7 @@ allow shell servicemanager:service_manager list; # don't allow shell to access GateKeeper service # TODO: why is this so broad? Tightening candidate? It needs at list: # - dumpstate_service (so it can receive dumpstate progress updates) -allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find; +allow shell { service_manager_type -gatekeeper_service -netd_service -installd_service}:service_manager find; allow shell dumpstate:binder call; # allow shell to look through /proc/ for ps, top, netstat diff --git a/public/system_app.te b/public/system_app.te index 7896ac556..6be67313d 100644 --- a/public/system_app.te +++ b/public/system_app.te @@ -50,7 +50,7 @@ allow system_app asec_apk_file:file r_file_perms; allow system_app servicemanager:service_manager list; # TODO: scope this down? Too broad? -allow system_app { service_manager_type -netd_service -dumpstate_service }:service_manager find; +allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find; allow system_app keystore:keystore_key { get_state diff --git a/public/system_server.te b/public/system_server.te index 4f7f86902..86d3d83c0 100644 --- a/public/system_server.te +++ b/public/system_server.te @@ -155,11 +155,12 @@ binder_call(system_server, hal_power) binder_call(system_server, hal_thermal) binder_call(system_server, hal_vibrator) binder_call(system_server, hal_vr) -binder_call(system_server, binderservicedomain) -binder_call(system_server, gatekeeperd) -binder_call(system_server, fingerprintd) binder_call(system_server, { appdomain ephemeral_app }) +binder_call(system_server, binderservicedomain) binder_call(system_server, dumpstate) +binder_call(system_server, fingerprintd) +binder_call(system_server, gatekeeperd) +binder_call(system_server, installd) binder_call(system_server, netd) binder_call(system_server, wificond) binder_service(system_server) @@ -455,13 +456,14 @@ allow system_server sysfs_zram:dir search; allow system_server sysfs_zram:file r_file_perms; allow system_server audioserver_service:service_manager find; +allow system_server batteryproperties_service:service_manager find; allow system_server cameraserver_service:service_manager find; allow system_server drmserver_service:service_manager find; allow system_server dumpstate_service:service_manager find; -allow system_server batteryproperties_service:service_manager find; -allow system_server keystore_service:service_manager find; -allow system_server gatekeeper_service:service_manager find; allow system_server fingerprintd_service:service_manager find; +allow system_server gatekeeper_service:service_manager find; +allow system_server installd_service:service_manager find; +allow system_server keystore_service:service_manager find; allow system_server mediaserver_service:service_manager find; allow system_server mediaanalytics_service:service_manager find; allow system_server mediaextractor_service:service_manager find;