20151072a7
This restricts access to ro.serialno and ro.boot.serialno, the two system properties which contain the device's serial number, to a select few SELinux domains which need the access. In particular, this removes access to these properties from Android apps. Apps can access the serial number via the public android.os.Build API. System properties are not public API for apps. The reason for the restriction is that serial number is a globally unique identifier which cannot be reset by the user. Thus, it can be used as a super-cookie by apps. Apps need to wean themselves off of identifiers not resettable by the user. Test: Set up fresh GMS device, install some apps via Play, update some apps, use Chrome Test: Access the device via ADB (ADBD exposes serial number) Test: Enable MTP over USB, use mtp-detect to confirm that serial number is reported in MTP DeviceInfo Bug: 31402365 Bug: 33700679 Change-Id: I4713133b8d78dbc63d8272503e80cd2ffd63a2a7
70 lines
2.5 KiB
Text
70 lines
2.5 KiB
Text
# mediadrmserver - mediadrm daemon
|
|
type mediadrmserver, domain;
|
|
type mediadrmserver_exec, exec_type, file_type;
|
|
|
|
typeattribute mediadrmserver mlstrustedsubject;
|
|
|
|
net_domain(mediadrmserver)
|
|
binder_use(mediadrmserver)
|
|
binder_call(mediadrmserver, binderservicedomain)
|
|
binder_call(mediadrmserver, appdomain)
|
|
binder_service(mediadrmserver)
|
|
|
|
# Required by Widevine DRM (b/22990512)
|
|
allow mediadrmserver self:process execmem;
|
|
|
|
# System file accesses.
|
|
allow mediadrmserver system_file:dir r_dir_perms;
|
|
allow mediadrmserver system_file:file r_file_perms;
|
|
allow mediadrmserver system_file:lnk_file r_file_perms;
|
|
|
|
# Read files already opened under /data.
|
|
allow mediadrmserver system_data_file:dir { search getattr };
|
|
allow mediadrmserver system_data_file:file { getattr read };
|
|
allow mediadrmserver system_data_file:lnk_file r_file_perms;
|
|
|
|
# Read access to pseudo filesystems.
|
|
r_dir_file(mediadrmserver, cgroup)
|
|
allow mediadrmserver cgroup:dir { search write };
|
|
allow mediadrmserver cgroup:file w_file_perms;
|
|
|
|
# Allow access to ion memory allocation device
|
|
allow mediadrmserver ion_device:chr_file rw_file_perms;
|
|
allow mediadrmserver hal_graphics_allocator:fd use;
|
|
|
|
# Allow access to app_data and media_data_files
|
|
allow mediadrmserver media_data_file:dir create_dir_perms;
|
|
allow mediadrmserver media_data_file:file create_file_perms;
|
|
allow mediadrmserver media_data_file:file { getattr read };
|
|
|
|
allow mediadrmserver tee_device:chr_file rw_file_perms;
|
|
|
|
# XXX Label with a specific type?
|
|
allow mediadrmserver sysfs:file r_file_perms;
|
|
|
|
# Connect to tee service.
|
|
allow mediadrmserver tee:unix_stream_socket connectto;
|
|
|
|
allow mediadrmserver mediadrmserver_service:service_manager { add find };
|
|
allow mediadrmserver mediaserver_service:service_manager { add find };
|
|
allow mediadrmserver mediaanalytics_service:service_manager find;
|
|
allow mediadrmserver processinfo_service:service_manager find;
|
|
allow mediadrmserver surfaceflinger_service:service_manager find;
|
|
|
|
# only allow unprivileged socket ioctl commands
|
|
allowxperm mediadrmserver self:{ rawip_socket tcp_socket udp_socket }
|
|
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
|
|
|
|
# Permit reading device's serial number from system properties
|
|
get_prop(mediadrmserver, serialno_prop)
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# mediadrmserver should never execute any executable without a
|
|
# domain transition
|
|
neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
|
|
|
|
# do not allow privileged socket ioctl commands
|
|
neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|