platform_system_sepolicy/public/servicemanager.te
Alex Klyubin 00657834b8 Assert ban on framework <-> vendor comms over VndBinder
This adds neverallow rules which enforce the prohibition on
communication between framework and vendor components over VendorBinder.
This prohibition is similar in spirit to the one for Binder
communications.

Most changes consist of adding neverallow rules, which do not affect
runtime behavior. The only change which does affect runtime behavior
is the change which takes away the right of servicemanager domain to
transfer Binder tokens to hwservicemanager and vndservicemanager. This
grant was there by accident (because it was overly broad) and is not
expected to be needed: servicemanager, hwservicemanager, and
vndservicemanager are not supposed to be communicating with each
other.

P. S. The new neverallow rules in app_neverallows.te are covered by
the new rules in domain.te. The rules were nevertheless added to
app_neverallows.te for consistency with other *Binder rules there.

Test: mmm system/sepolicy
Bug: 37663632
Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
2017-04-25 14:15:52 -07:00

25 lines
904 B
Text

# servicemanager - the Binder context manager
type servicemanager, domain, mlstrustedsubject;
type servicemanager_exec, exec_type, file_type;
# Note that we do not use the binder_* macros here.
# servicemanager is unique in that it only provides
# name service (aka context manager) for Binder.
# As such, it only ever receives and transfers other references
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
allow servicemanager {
domain
-init
-hwservicemanager
-vndservicemanager
}:binder transfer;
# Access to all (system and vendor) service_contexts
# TODO(b/36866029) access to nonplat_service_contexts
# should not be allowed on full treble devices
allow servicemanager service_contexts_file:file r_file_perms;
# Check SELinux permissions.
selinux_check_access(servicemanager)