Merge "Exempt tetheroffload hal from network socket restrictions" into oc-dev
diff --git a/private/app.te b/private/app.te
index 4b9d87d..6f2b820 100644
--- a/private/app.te
+++ b/private/app.te
@@ -225,8 +225,8 @@
allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
# Access OBBs (vfat images) mounted by vold (b/17633509)
# File write access allowed for FDs returned through Storage Access Framework
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0917724..3c159d5 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -132,20 +132,63 @@
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
- # Same process services are safe because they by definition run in the process
- # of the client and thus have the same access as the client domain in which
- # the process runs
-same_process_hwservice
- -coredomain_hwservice # neverallows for coredomain HwBinder services are below
- -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
- # These operations are also offered by surfaceflinger Binder service which
- # apps are permitted to access
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
- # HwBinder version of mediacodec Binder service which apps were permitted to
- # access
-hal_omx_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
diff --git a/public/attributes b/public/attributes
index 90740d4..cde55da 100644
--- a/public/attributes
+++ b/public/attributes
@@ -144,6 +144,15 @@
# TODO(b/36463595)
attribute vendor_executes_system_violators;
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
# PDX services
attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type;
diff --git a/public/domain.te b/public/domain.te
index 34cbadc..d2b370a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -497,6 +497,7 @@
-recovery
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+neverallow hal_bootctl unlabeled:service_manager list; #TODO: b/62658302
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
@@ -555,6 +556,7 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} servicemanager:binder { call transfer };
+ neverallow binder_in_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
@@ -613,6 +615,7 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+ neverallow socket_between_core_and_vendor_violators unlabeled:service_manager list ; #TODO: b/62658302
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
neverallow_establish_socket_comms({
@@ -644,6 +647,10 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ pdx_endpoint_socket_type
+ pdx_channel_socket_type
+ } unlabeled:service_manager list; #TODO: b/62658302
# Core domains are not permitted to create/open sockets owned by vendor domains
neverallow {
@@ -728,6 +735,7 @@
-crash_dump_exec
-netutils_wrapper_exec
}:file { entrypoint execute execute_no_trans };
+ neverallow vendor_executes_system_violators unlabeled:service_manager list; #TODO: b/62658302
')
# Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/runas.te b/public/runas.te
index cda02ef..7a7febf 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -2,6 +2,7 @@
type runas_exec, exec_type, file_type;
allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
diff --git a/public/te_macros b/public/te_macros
index b1937d8..d65eb88 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -550,6 +550,7 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+ neverallow $1 unlabeled:service_manager add; #TODO: b/62658302
')
###########################################
@@ -561,6 +562,7 @@
allow $1 $2:hwservice_manager { add find };
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
+ neverallow $1 unlabeled:hwservice_manager add; #TODO: b/62658302
')
##########################################