Merge "Mark system_ndebug_socket as mlstrustedobject." am: ad38a45cc3 am: e2acb915ad
am: 53047f6d7e
Change-Id: I6e4dac9c891dae5318651a8a44fd7da34e86964c
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f971..b0048aa 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,6 +49,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
# Bluetooth Sim Access Profile Socket to the RIL
unix_socket_connect(bluetooth, sap_uim, rild)
diff --git a/private/file_contexts b/private/file_contexts
index bd111b8..1db5210 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -198,7 +198,6 @@
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediacodec u:object_r:mediacodec_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
@@ -222,7 +221,6 @@
/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/hostapd u:object_r:hostapd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
@@ -249,6 +247,7 @@
/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
#############################
@@ -331,7 +330,6 @@
/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
diff --git a/private/hostapd.te b/private/hostapd.te
deleted file mode 100644
index d895f29..0000000
--- a/private/hostapd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-init_daemon_domain(hostapd)
diff --git a/private/mediacodec.te b/private/mediacodec.te
deleted file mode 100644
index ff290bc..0000000
--- a/private/mediacodec.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mediacodec coredomain;
-
-init_daemon_domain(mediacodec)
diff --git a/private/service_contexts b/private/service_contexts
index 5fd87dc..db2e9f6 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -156,6 +156,7 @@
vibrator u:object_r:vibrator_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_window_manager u:object_r:vr_window_manager_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 12ba609..1e2245f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,7 +57,7 @@
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
allow system_app keystore:keystore_key {
get_state
diff --git a/private/system_server.te b/private/system_server.te
index 8f85a48..5aae022 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -58,16 +58,13 @@
net_raw
sys_boot
sys_nice
- sys_resource
+ sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -511,6 +508,8 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+# TODO(b/36506799): move vr_wm code to VrCore and remove this:
+allow system_server vr_window_manager_service:service_manager find;
allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
@@ -701,3 +700,11 @@
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/private/tee.te b/private/tee.te
index 99f501e..01a52de 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,7 @@
typeattribute tee coredomain;
init_daemon_domain(tee)
+
+# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
+# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/private/vr_wm.te b/private/vr_wm.te
new file mode 100644
index 0000000..38564f2
--- /dev/null
+++ b/private/vr_wm.te
@@ -0,0 +1,5 @@
+# vr_wm - VR Window Manager
+typeattribute vr_wm coredomain;
+
+# The vr_wm is started by init.
+init_daemon_domain(vr_wm)
diff --git a/public/attributes b/public/attributes
index 00035ab..bfd53a3 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,11 @@
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/bootanim.te b/public/bootanim.te
index 9922451..e2584c3 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -22,7 +22,6 @@
allow bootanim audioserver_service:service_manager find;
allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim audioserver_service:service_manager find;
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 8a42336..40ebb4d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -441,6 +441,51 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/file.te b/public/file.te
index 2abfe70..fd7b048 100644
--- a/public/file.te
+++ b/public/file.te
@@ -249,8 +249,6 @@
type vold_socket, file_type;
type webview_zygote_socket, file_type;
type wpa_socket, file_type;
-# hostapd control interface.
-type hostapd_socket, file_type;
type zygote_socket, file_type;
type sap_uim_socket, file_type;
# UART (for GPS) control proc file
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..5e66c8a 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,7 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 469c8ba..ecbe280 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -13,6 +13,8 @@
binder_call(mediacodec, appdomain)
binder_service(mediacodec)
+# TODO(b/36604251): Remove this once OMX HAL stops using Binder
+typeattribute mediacodec binder_in_vendor_violators;
add_service(mediacodec, mediacodec_service)
allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb..e2b6ed1 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b..95038cd 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger vr_wm })
dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger vr_wm }:process setsched;
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/radio.te b/public/radio.te
index a896659..8c3c6a5 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,6 +5,7 @@
bluetooth_domain(radio)
binder_service(radio)
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
diff --git a/public/service.te b/public/service.te
index 478b00e..444f82a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -27,6 +27,7 @@
type system_app_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vr_window_manager_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 92d5c27..544550a 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -9,4 +9,4 @@
allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
# Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
new file mode 100644
index 0000000..deedb0a
--- /dev/null
+++ b/public/vr_wm.te
@@ -0,0 +1,31 @@
+type vr_wm, domain;
+type vr_wm_exec, exec_type, file_type;
+
+hal_client_domain(vr_wm, hal_graphics_allocator)
+
+binder_use(vr_wm)
+binder_call(vr_wm, surfaceflinger)
+binder_call(vr_wm, virtual_touchpad)
+
+allow vr_wm virtual_touchpad_service:service_manager find;
+
+binder_service(vr_wm)
+add_service(vr_wm, vr_window_manager_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_wm)
+
+# Load vendor libraries.
+allow vr_wm system_file:dir r_dir_perms;
+
+allow vr_wm gpu_device:chr_file rw_file_perms;
+allow vr_wm ion_device:chr_file r_file_perms;
+
+# Get buffer metadata.
+allow vr_wm hal_graphics_allocator:fd use;
+
+use_pdx(vr_wm, bufferhubd)
+use_pdx(vr_wm, sensord)
+use_pdx(vr_wm, surfaceflinger)
+use_pdx(vr_wm, performanced)
diff --git a/vendor/file.te b/vendor/file.te
new file mode 100644
index 0000000..aeafb4a
--- /dev/null
+++ b/vendor/file.te
@@ -0,0 +1,2 @@
+# Socket types
+type hostapd_socket, file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a781341..763a945 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -20,6 +20,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
@@ -29,4 +30,9 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
+/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
+#############################
+# Data files
+#
+/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa..d20063f 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -5,3 +5,5 @@
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763a..77e6609 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,6 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..2fd5b44 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,6 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
+
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
+typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_omx.te b/vendor/hal_omx.te
new file mode 100644
index 0000000..fdb4aca
--- /dev/null
+++ b/vendor/hal_omx.te
@@ -0,0 +1 @@
+init_daemon_domain(mediacodec)
diff --git a/public/hostapd.te b/vendor/hostapd.te
similarity index 97%
rename from public/hostapd.te
rename to vendor/hostapd.te
index b40bdc8..02bafaa 100644
--- a/public/hostapd.te
+++ b/vendor/hostapd.te
@@ -2,6 +2,7 @@
type hostapd, domain;
type hostapd_exec, exec_type, file_type;
+init_daemon_domain(hostapd)
net_domain(hostapd)
allow hostapd self:capability { net_admin net_raw };