Merge "DO NOT MERGE ANYWHERE Revert "SEPolicy: Changes for new stack dumping scheme."" into oc-dr1-dev
diff --git a/private/app.te b/private/app.te
index f127b98..508b60c 100644
--- a/private/app.te
+++ b/private/app.te
@@ -69,9 +69,6 @@
# Communicate with surfaceflinger.
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-# Query whether a Surface supports wide color
-allow { appdomain -isolated_app } hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-
# App sandbox file accesses.
allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index b050e52..ecca70a 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -140,20 +140,63 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
- # Same process services are safe because they by definition run in the process
- # of the client and thus have the same access as the client domain in which
- # the process runs
-same_process_hwservice
- -coredomain_hwservice # neverallows for coredomain HwBinder services are below
- -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
- # These operations are also offered by surfaceflinger Binder service which
- # apps are permitted to access
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- # HwBinder version of mediacodec Binder service which apps were permitted to
- # access
-hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index db81d0d..1c23f57 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -21,6 +21,10 @@
# package manager.
allow dexoptanalyzer app_data_file:dir { getattr search };
allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 3595ee4..b33035e 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,7 +14,6 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
-allow surfaceflinger hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
diff --git a/private/system_server.te b/private/system_server.te
index 5e7da2f..4afdf95 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -79,6 +79,9 @@
# Allow alarmtimers to be set
allow system_server self:capability2 wake_alarm;
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
# Use netlink uevent sockets.
allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
@@ -177,6 +180,7 @@
# Use HALs
hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
diff --git a/public/attributes b/public/attributes
index 2b28cf0..1fe3826 100644
--- a/public/attributes
+++ b/public/attributes
@@ -144,6 +144,15 @@
# TODO(b/36463595)
attribute vendor_executes_system_violators;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index 4bf6cfd..66a168e 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -1,6 +1,8 @@
# HwBinder IPC from client to server
binder_call(hal_configstore_client, hal_configstore_server)
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
# As opposed to the rules of most other HALs, the different services exposed by
# this HAL should be restricted to different clients. Thus, the allow rules for
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index feadcda..fc2b5f6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,14 +8,16 @@
-rild
} self:capability { net_admin net_raw };
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
neverallow {
halserverdomain
+ -hal_tetheroffload_server
-hal_wifi_server
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_tetheroffload_server unlabeled:service_manager list; #TODO: b/62658302
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_tetheroffload.te b/public/hal_tetheroffload.te
index a4c21fcd..48d67a2 100644
--- a/public/hal_tetheroffload.te
+++ b/public/hal_tetheroffload.te
@@ -1,3 +1,8 @@
## HwBinder IPC from client to server, and callbacks
binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/public/hwservice.te b/public/hwservice.te
index c3f3077..bb2c668 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -28,6 +28,7 @@
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
type hal_thermal_hwservice, hwservice_manager_type;
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
diff --git a/public/te_macros b/public/te_macros
index d65eb88..2d1ec03 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -101,6 +101,10 @@
typeattribute $2 pdx_$1_endpoint_dir_type;
type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
')
#####################################
diff --git a/vendor/hal_tetheroffload_default.te b/vendor/hal_tetheroffload_default.te
new file mode 100644
index 0000000..03c542b
--- /dev/null
+++ b/vendor/hal_tetheroffload_default.te
@@ -0,0 +1,5 @@
+type hal_tetheroffload_default, domain;
+hal_server_domain(hal_tetheroffload_default, hal_tetheroffload)
+
+type hal_tetheroffload_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_tetheroffload_default)
diff --git a/vendor/rild.te b/vendor/rild.te
index ea9109b..510a776 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -2,7 +2,3 @@
# public, but conceptually should go with this
type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild)
-
-# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
-# communicates with non-vendor components over sockets.
-typeattribute rild socket_between_core_and_vendor_violators;