Remove neverallow preventing hwservice access for apps. am: 3e307a4de5
am: 044d20729b
Change-Id: Ia6f8a806adae230df50f8d06edcf4ba9d2ae4352
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index b050e52..ecca70a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -140,20 +140,63 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
- # Same process services are safe because they by definition run in the process
- # of the client and thus have the same access as the client domain in which
- # the process runs
-same_process_hwservice
- -coredomain_hwservice # neverallows for coredomain HwBinder services are below
- -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
- # These operations are also offered by surfaceflinger Binder service which
- # apps are permitted to access
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- # HwBinder version of mediacodec Binder service which apps were permitted to
- # access
-hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/public/attributes b/public/attributes
index 2b28cf0..1fe3826 100644
--- a/public/attributes
+++ b/public/attributes
@@ -144,6 +144,15 @@
# TODO(b/36463595)
attribute vendor_executes_system_violators;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;