Ban socket connections between core and vendor
On PRODUCT_FULL_TREBLE devices, non-vendor domains (coredomain) and
vendor domain are not permitted to connect to each other's sockets.
There are two main exceptions: (1) apps are permitted to talk to other
apps over Unix domain sockets (this is public API in Android
framework), and (2) domains with network access (netdomain) are
permitted to connect to netd.
This commit thus:
* adds neverallow rules restricting socket connection establishment,
* temporarily exempts the domains which are currently violating this
rule from this restriction. These domains are grouped using the new
"socket_between_core_and_vendor_violators" attribute. The attribute
is needed because the types corresponding to violators are not
exposed to the public policy where the neverallow rules are.
Test: mmm system/sepolicy
Bug: 36613996
Change-Id: I458f5a09a964b06ad2bddb52538ec3a15758b003
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f971..b0048aa 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,6 +49,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
# Bluetooth Sim Access Profile Socket to the RIL
unix_socket_connect(bluetooth, sap_uim, rild)
diff --git a/private/tee.te b/private/tee.te
index 99f501e..01a52de 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,7 @@
typeattribute tee coredomain;
init_daemon_domain(tee)
+
+# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
+# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index 00035ab..bfd53a3 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,11 @@
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 8a42336..40ebb4d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -441,6 +441,51 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..5e66c8a 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,7 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb..e2b6ed1 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/radio.te b/public/radio.te
index a896659..8c3c6a5 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,6 +5,7 @@
bluetooth_domain(radio)
binder_service(radio)
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa..d20063f 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -5,3 +5,5 @@
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763a..77e6609 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,6 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..2fd5b44 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,6 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
+
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
+typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;