commit a16308f09a9879c7f7af28d481327509e866523f
author Marco Ballesio <balejs@google.com> Tue Sep 08 16:00:41 2020 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Sep 08 16:00:41 2020 +0000
tree 8b02861ec9f25db3ed618be82f0ae30eb8b9a484
parent fbb6546cbdd00a80b9ddf08d7f3d0e0bb491af26
parent 5fe69e082ac44aba637469fc59fee9f311c8d20b

Merge "sepolicy: restrict BINDER_FREEZE to system_server"

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 58ccc18..849676e 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1013,6 +1013,9 @@
 
 get_prop(system_server, wifi_config_prop)
 
+# Only system server can access BINDER_FREEZE
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+
 ###
 ### Neverallow rules
 ###
@@ -1231,3 +1234,7 @@
   -dumpstate
   -system_server
 } wifi_config_prop:file no_rw_file_perms;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 1bfdcea..812f1a2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
 
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
+
 # /dev/binderfs needs to be accessed by everyone too!
 allow domain binderfs:dir { getattr search };
 allow domain binderfs_logs_proc:dir search;

public/ioctl_defines

diff --git a/public/ioctl_defines b/public/ioctl_defines
index 3c7758a..8b28beb 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,7 +132,11 @@
 define(`BC_REPLY', `0x40406301')
 define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
 define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
 define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
 define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
 define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
 define(`BINDER_SET_MAX_THREADS', `0x40046205')

public/ioctl_macros

diff --git a/public/ioctl_macros b/public/ioctl_macros
index 5cbfae5..4538962 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -66,3 +66,11 @@
 PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
 PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
 }')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')