Add sepolicy for binderfs
/dev/binder, /dev/hwbinder and /dev/vndbinder are relocating
to /dev/binderfs/binder /dev/binderfs/hwbinder and
/dev/binderfs/vndbinder. This patch adds the sepolicy to
allow the switch.
The following are some of the denials that get taken care of by this
patch(there are too many to copy).
audit(1575835230.863:16): avc: denied { search } for comm="servicemanager" name="/" dev="binder" ino=1 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835230.863:16): avc: denied { read } for comm="servicemanager" name="binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:17): avc: denied { write } for comm="servicemanager" name="binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:17): avc: denied { open } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:18): avc: denied { ioctl } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 ioctlcmd=0x6209 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.863:19): avc: denied { map } for comm="servicemanager" path="/dev/binderfs/binder" dev="binder" ino=4 scontext=u:r:servicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:20): avc: denied { search } for comm="vndservicemanag" name="/" dev="binder" ino=1 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835230.867:20): avc: denied { read } for comm="vndservicemanag" name="vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:21): avc: denied { write } for comm="vndservicemanag" name="vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:21): avc: denied { open } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:22): avc: denied { ioctl } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 ioctlcmd=0x6209 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.867:23): avc: denied { map } for comm="vndservicemanag" path="/dev/binderfs/vndbinder" dev="binder" ino=6 scontext=u:r:vndservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=chr_file permissive=1
audit(1575835230.871:25): avc: denied { search } for comm="hwservicemanage" name="/" dev="binder" ino=1 scontext=u:r:hwservicemanager:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
audit(1575835238.351:72): avc: denied { search } for comm="android.hardwar" name="proc" dev="binder" ino=1048586 scontext=u:r:hal_configstore_default:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=1
Test: boots without any issues when binderfs in enabled.
Bug: 136497735
Change-Id: Ib0f8f2156c960eb7b394dd7c79ae96c7da8bc213
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index eda155b..882a1c7 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -10,6 +10,9 @@
auth_service
ashmem_libcutils_device
blob_store_service
+ binderfs
+ binderfs_logs
+ binderfs_logs_proc
boringssl_self_test
charger_prop
cold_boot_done_prop
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 855f2d6..266ff7a 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -289,9 +289,15 @@
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+genfscon binder /binder u:object_r:binder_device:s0
+genfscon binder /hwbinder u:object_r:hwbinder_device:s0
+genfscon binder /vndbinder u:object_r:vndbinder_device:s0
+genfscon binder /binder_logs u:object_r:binderfs_logs:s0
+genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/public/domain.te b/public/domain.te
index e50ef75..ddfaa82 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# /dev/binderfs needs to be accessed by everyone too!
+allow domain binderfs:dir { getattr search };
+allow domain binderfs_logs_proc:dir search;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
diff --git a/public/file.te b/public/file.te
index 401e016..11f5b08 100644
--- a/public/file.te
+++ b/public/file.te
@@ -4,6 +4,9 @@
type sockfs, fs_type;
type rootfs, fs_type;
type proc, fs_type, proc_type;
+type binderfs, fs_type;
+type binderfs_logs, fs_type;
+type binderfs_logs_proc, fs_type;
# Security-sensitive proc nodes that should not be writable to most.
type proc_security, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;