te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.
Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.
mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.
Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.
Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.
Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
diff --git a/private/storaged.te b/private/storaged.te
index c6276a3..1d87251 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -24,7 +24,7 @@
')
# Binder permissions
-allow storaged storaged_service:service_manager add;
+add_service(storaged, storaged_service)
binder_use(storaged)
binder_call(storaged, system_server)
diff --git a/public/audioserver.te b/public/audioserver.te
index 676b04e..bc0b989 100644
--- a/public/audioserver.te
+++ b/public/audioserver.te
@@ -30,7 +30,7 @@
allow audioserver audio_device:dir r_dir_perms;
allow audioserver audio_device:chr_file rw_file_perms;
-allow audioserver audioserver_service:service_manager { add find };
+add_service(audioserver, audioserver_service)
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 4135926..13c2890 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -21,11 +21,11 @@
allow cameraserver ion_device:chr_file rw_file_perms;
allow cameraserver hal_graphics_allocator:fd use;
+add_service(cameraserver, cameraserver_service)
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver cameraserver_service:service_manager add;
allow cameraserver mediaserver_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
diff --git a/public/drmserver.te b/public/drmserver.te
index ab42696..453ce12 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -50,7 +50,7 @@
allow drmserver oemfs:dir search;
allow drmserver oemfs:file r_file_perms;
-allow drmserver drmserver_service:service_manager { add find };
+add_service(drmserver, drmserver_service)
allow drmserver permission_service:service_manager find;
selinux_check_access(drmserver)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index a495211..c120736 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -188,17 +188,14 @@
allow dumpstate proc_zoneinfo:file r_file_perms;
# Create a service for talking back to system_server
-allow dumpstate dumpstate_service:service_manager add;
+add_service(dumpstate, dumpstate_service)
###
### neverallow rules
###
-# only dumpstate can add the dumpstate service
-neverallow { domain -dumpstate } dumpstate_service:service_manager add;
-
-# only system_server and shell can find the dumpstate service
-neverallow { domain -system_server -shell } dumpstate_service:service_manager find;
+# only system_server, dumpstate and shell can find the dumpstate service
+neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
# Dumpstate should not be writing to any generically labeled sysfs files.
# Create a specific label for the file type
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b27f014..57cde1d 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -7,7 +7,7 @@
allow fingerprintd system_file:dir r_dir_perms;
# need to find KeyStore and add self
-allow fingerprintd fingerprintd_service:service_manager { add find };
+add_service(fingerprintd, fingerprintd_service)
# allow HAL module to read dir contents
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 88a2e00..e842cd2 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -8,7 +8,7 @@
binder_use(gatekeeperd)
# need to find KeyStore and add self
-allow gatekeeperd gatekeeper_service:service_manager { add find };
+add_service(gatekeeperd, gatekeeper_service)
# Scan through /system/lib64/hw looking for installed HALs
allow gatekeeperd system_file:dir r_dir_perms;
@@ -32,5 +32,3 @@
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
-
-neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
diff --git a/public/healthd.te b/public/healthd.te
index fcc5afc..2f26b9e 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -57,7 +57,7 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
-allow healthd batteryproperties_service:service_manager { add find };
+add_service(healthd, batteryproperties_service)
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
diff --git a/public/inputflinger.te b/public/inputflinger.te
index 14cfdc7..e5f12a0 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -9,7 +9,7 @@
wakelock_use(inputflinger)
-allow inputflinger inputflinger_service:service_manager { add find };
+add_service(inputflinger, inputflinger_service)
allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
diff --git a/public/installd.te b/public/installd.te
index bf83b9d..08255a4 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -121,7 +121,7 @@
# Allow installd to publish a binder service and make binder calls.
binder_use(installd)
-allow installd installd_service:service_manager add;
+add_service(installd, installd_service)
allow installd dumpstate:fifo_file { getattr write };
# Allow installd to call into the system server so it can check permissions.
@@ -136,7 +136,7 @@
### Neverallow rules
###
-# only system_server and dumpstate may interact with installd over binder
-neverallow { domain -system_server -dumpstate } installd_service:service_manager find;
+# only system_server, installd and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
neverallow { domain -system_server -dumpstate } installd:binder call;
neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/keystore.te b/public/keystore.te
index 4215017..457ff37 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -12,7 +12,7 @@
allow keystore tee_device:chr_file rw_file_perms;
allow keystore tee:unix_stream_socket connectto;
-allow keystore keystore_service:service_manager { add find };
+add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
# Check SELinux permissions.
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 27b27e0..9f07d85 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -9,7 +9,7 @@
binder_call(mediacodec, appdomain)
binder_service(mediacodec)
-allow mediacodec mediacodec_service:service_manager add;
+add_service(mediacodec, mediacodec_service)
allow mediacodec mediametrics_service:service_manager find;
allow mediacodec surfaceflinger_service:service_manager find;
allow mediacodec gpu_device:chr_file rw_file_perms;
diff --git a/public/mediadrmserver.te b/public/mediadrmserver.te
index 781229b..f93cf45 100644
--- a/public/mediadrmserver.te
+++ b/public/mediadrmserver.te
@@ -10,8 +10,8 @@
binder_call(mediadrmserver, appdomain)
binder_service(mediadrmserver)
-allow mediadrmserver mediadrmserver_service:service_manager { add find };
-allow mediadrmserver mediaserver_service:service_manager { add find };
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
allow mediadrmserver mediametrics_service:service_manager find;
allow mediadrmserver processinfo_service:service_manager find;
allow mediadrmserver surfaceflinger_service:service_manager find;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 7187c22..deecc00 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -9,7 +9,7 @@
binder_call(mediaextractor, appdomain)
binder_service(mediaextractor)
-allow mediaextractor mediaextractor_service:service_manager add;
+add_service(mediaextractor, mediaextractor_service)
allow mediaextractor mediametrics_service:service_manager find;
allow mediaextractor system_server:fd use;
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 9b4409b..84d184b 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -7,7 +7,7 @@
binder_call(mediametrics, binderservicedomain)
binder_service(mediametrics)
-allow mediametrics mediametrics_service:service_manager add;
+add_service(mediametrics, mediametrics_service)
allow mediametrics system_server:fd use;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 56654e5..16b8013 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -78,6 +78,7 @@
# Connect to tee service.
allow mediaserver tee:unix_stream_socket connectto;
+add_service(mediaserver, mediaserver_service)
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
allow mediaserver audioserver_service:service_manager find;
@@ -86,7 +87,6 @@
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaextractor_service:service_manager find;
allow mediaserver mediacodec_service:service_manager find;
-allow mediaserver mediaserver_service:service_manager { add find };
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
diff --git a/public/netd.te b/public/netd.te
index 45a1952..df18203 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -61,7 +61,7 @@
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
-allow netd netd_service:service_manager add;
+add_service(netd, netd_service)
allow netd dumpstate:fifo_file { getattr write };
# Allow netd to call into the system server so it can check permissions.
@@ -92,7 +92,7 @@
# Write to files in /data/data or system files on /data
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-# only system_server and dumpstate may interact with netd over binder
-neverallow { domain -system_server -dumpstate } netd_service:service_manager find;
+# only system_server, dumpstate and netd may interact with netd over binder
+neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
neverallow { domain -system_server -dumpstate } netd:binder call;
neverallow netd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/nfc.te b/public/nfc.te
index 9a8b471..866180b 100644
--- a/public/nfc.te
+++ b/public/nfc.te
@@ -25,7 +25,7 @@
allow nfc mediaextractor_service:service_manager find;
allow nfc mediaserver_service:service_manager find;
-allow nfc nfc_service:service_manager { add find };
+add_service(nfc, nfc_service)
allow nfc radio_service:service_manager find;
allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
diff --git a/public/radio.te b/public/radio.te
index eb52f09..953b59c 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -24,12 +24,12 @@
# ctl interface
set_prop(radio, ctl_rildaemon_prop)
+add_service(radio, radio_service)
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
-allow radio radio_service:service_manager { add find };
allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 2b1faec..68e86b1 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -57,11 +57,12 @@
# media.player service
+add_service(surfaceflinger, gpu_service)
+add_service(surfaceflinger, surfaceflinger_service)
+
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger gpu_service:service_manager { add find };
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
allow surfaceflinger window_service:service_manager find;
# allow self to set SCHED_FIFO
diff --git a/public/system_server.te b/public/system_server.te
index 8485480..1dfdafa 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -482,6 +482,7 @@
allow system_server sysfs_zram:dir search;
allow system_server sysfs_zram:file r_file_perms;
+add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
@@ -500,7 +501,6 @@
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
-allow system_server system_server_service:service_manager { add find };
allow system_server surfaceflinger_service:service_manager find;
allow system_server wificond_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index d4e1324..0eba3ff 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -371,6 +371,16 @@
allow drmserver $1:process getattr;
')
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
##########################################
# print a message with a trailing newline
# print(`args')
diff --git a/public/update_engine.te b/public/update_engine.te
index 2c6e585..3a33407 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -25,7 +25,7 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
-allow update_engine update_engine_service:service_manager { add };
+add_service(update_engine, update_engine_service)
# Allow update_engine to call the callback function provided by priv_app.
binder_call(update_engine, priv_app)
diff --git a/public/wificond.te b/public/wificond.te
index 0fcc3ae..dd22d26 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -5,7 +5,7 @@
binder_use(wificond)
binder_call(wificond, system_server)
-allow wificond wificond_service:service_manager { add find };
+add_service(wificond, wificond_service)
# wificond writes firmware paths to this file.
# wificond also changes the owership of this file on startup.