commit 000b251c7d3fd72d0fac50ef2840edc0a2bcc007
author Tej Singh <singhtejinder@google.com> Tue Feb 13 23:27:00 2024 -0800
committer Tej Singh <singhtejinder@google.com> Wed Feb 14 15:07:21 2024 -0800
tree 0a590aff456643f636bf740cf9ac3a826239289e
parent f80a830b324db17a5cee06ce109def1b1f7f9a0a

stats_service: only disallow untrusted access

Allow device-specific domains to access stats_service. All access must
be done over proper APIs (StatsManager, AStatsManager) instead of
accessing the AIDL interfaces directly.

Test: build
Bug: 318788254
Change-Id: I98ddc1900350daf755372be7249f25a462e3242d

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5ea924a..ab8b8d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -258,6 +258,9 @@
 # Only privileged apps may find the incident service
 neverallow all_untrusted_apps incident_service:service_manager find;
 
+# Only privileged apps may find stats service
+neverallow all_untrusted_apps stats_service:service_manager find;
+
 # Do not allow untrusted app to read hidden system proprerties.
 # We do not include in the exclusions other normally untrusted applications such as mediaprovider
 #  due to the specific logging use cases.

private/stats.te

diff --git a/private/stats.te b/private/stats.te
index 5790faa..6261303 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -33,28 +33,3 @@
 # Allow statsd to call back to stats with status updates.
 binder_call(statsd, stats)
 
-###
-### neverallow rules
-###
-
-neverallow {
-  domain
-  -dumpstate
-  -gmscore_app
-  -gpuservice
-  -incidentd
-  -keystore
-  -mediametrics
-  -mediaserver
-  -platform_app
-  -priv_app
-  -rkpdapp
-  -shell
-  -stats
-  -statsd
-  -surfaceflinger
-  -system_app
-  -system_server
-  -traceur_app
-  -traced_probes
-} stats_service:service_manager find;