Merge "hwservicemanager: halserverdomain"
diff --git a/private/app.te b/private/app.te
index 1b1f4ca..ed2d8b6 100644
--- a/private/app.te
+++ b/private/app.te
@@ -87,11 +87,12 @@
# Execute the shell or other system executables.
allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
# Renderscript needs the ability to read directories on /system
-r_dir_file(appdomain, system_file)
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
# Execute dex2oat when apps call dexclassloader
allow appdomain dex2oat_exec:file rx_file_perms;
@@ -133,7 +134,7 @@
# Write to /proc/net/xt_qtaguid/ctrl file.
allow appdomain qtaguid_proc:file rw_file_perms;
# read /proc/net/xt_qtguid/stats
-r_dir_file(appdomain, proc_net)
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
# Everybody can read the xt_qtaguid resource tracking misc dev.
# So allow all apps to read from /dev/xt_qtaguid.
allow appdomain qtaguid_device:chr_file r_file_perms;
@@ -246,6 +247,9 @@
# Allow app to access the graphic allocator HAL
binder_call({ appdomain -isolated_app }, hal_graphics_allocator)
+# App can access configstore HAL which is read only
+binder_call({ appdomain -isolated_app }, hal_configstore)
+
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 15ab764..5e47b68 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -100,3 +100,7 @@
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 2b94827..2b0515a 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -52,3 +52,7 @@
# Directly access external storage
neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 0aff9f5..3808c83 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -9,7 +9,6 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_allocator)
binder_call(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_graphics_composer)
diff --git a/private/system_server.te b/private/system_server.te
index 6029243..7361307 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,10 +14,6 @@
allow system_server zygote_tmpfs:file read;
-# Create a socket for receiving info from wpa.
-type_transition system_server wifi_data_file:sock_file system_wpa_socket;
-type_transition system_server wpa_socket:sock_file system_wpa_socket;
-
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;
allow system_server dalvikcache_data_file:file { r_file_perms execute };
@@ -151,8 +147,6 @@
unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(system_server, wpa, hal_wifi_supplicant_server)
unix_socket_connect(system_server, uncrypt, uncrypt)
# Communicate over a socket created by surfaceflinger.
@@ -423,13 +417,6 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
-# Create a socket for receiving info from wpa.
-allow system_server wpa_socket:dir rw_dir_perms;
-allow system_server system_wpa_socket:sock_file create_file_perms;
-
-# Remove sockets created by wpa_supplicant
-allow system_server wpa_socket:sock_file unlink;
-
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index f2364a7..d1b55cf 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,7 @@
binder_service(cameraserver)
hal_client_domain(cameraserver, hal_camera)
+hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index abecbda..ff36956 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -15,7 +15,6 @@
### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
### These rules should eventually be granted only when needed.
-hwbinder_use(gatekeeperd)
hal_client_domain(gatekeeperd, hal_gatekeeper)
###
diff --git a/public/hal_gatekeeper.te b/public/hal_gatekeeper.te
index c428eba..618a2ee 100644
--- a/public/hal_gatekeeper.te
+++ b/public/hal_gatekeeper.te
@@ -1,7 +1,4 @@
-# call into gatekeeperd process (callbacks)
-# TODO: This rules is unlikely to be needed because Gatekeeper HIDL
-# says there are no callbacks
-binder_call(hal_gatekeeper, gatekeeperd)
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
# TEE access.
allow hal_gatekeeper tee_device:chr_file rw_file_perms;
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 45999be..e434751 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,3 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 61b15ca..130a8f6 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -17,3 +17,36 @@
-hal_wifi_supplicant_server
-rild
} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 8d2c0ea..ed10f8d 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -18,12 +18,6 @@
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-# TODO(b/35707797): Remove this socket access.
-unix_socket_send(hal_wifi_supplicant, system_wpa, system_server)
-
-# HIDL interface exposed by WPA.
-hwbinder_use(hal_wifi_supplicant)
-binder_call(hal_wifi_supplicant, system_server)
# Create a socket for receiving info from wpa
allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
diff --git a/public/te_macros b/public/te_macros
index 60de568..0e1bffb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -148,26 +148,6 @@
typeattribute $1 bluetoothdomain;
')
-# TODO: Remove hal_impl_domain once all uses have been switched to hal_server_domain.
-#####################################
-# hal_impl_domain(domain[, hal_type_attr])
-# Allow a base set of permissions required for a domain to host a
-# HAL implementation.
-#
-# Optionally, the type of the HAL can be specified as the second
-# argument. This is useful for HALs which may have multiple
-# implementations. Attributes are used to group the various
-# implementations of such HALs.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_impl_domain(hal_foo_default, hal_foo)
-#
-define(`hal_impl_domain', `
-typeattribute $1 halserverdomain;
-ifelse($2, `', `', `typeattribute $1 $2;')
-')
-
#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a