Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a9d7b895da2a2b0ed3dd3c63e958af219a334a3a^1..a9d7b895da2a2b0ed3dd3c63e958af219a334a3a / .
commita9d7b895da2a2b0ed3dd3c63e958af219a334a3a[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Wed Apr 26 04:48:42 2017 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Wed Apr 26 04:48:43 2017 +0000
tree81c00360581c58bfddba00e9022e9400780bdba9
parent26564ce75457e53584d6e24e9b009cdea82cd665 [diff]
parent00657834b8a0200f9000a81237b7f45d6ea966d9 [diff]
Merge "Assert ban on framework <-> vendor comms over VndBinder" into oc-dev
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f577..7827c8b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -21,6 +21,10 @@
 # services.
 neverallow all_untrusted_apps service_manager_type:service_manager add;
 
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
 # Do not allow untrusted apps to connect to the property service
 # or set properties. b/10243159
 neverallow all_untrusted_apps property_socket:sock_file write;

diff --git a/public/domain.te b/public/domain.te
index f634336..1e5c16c 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -559,6 +559,27 @@
   } servicemanager:binder { call transfer };
 ')
 
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+    -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+  } vndbinder_device:chr_file rw_file_perms;
+  neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservice_manager_type:service_manager *;
+  neverallow {
+    coredomain
+    -shell
+    userdebug_or_eng(`-su')
+  } vndservicemanager:binder *;
+')
+
 # On full TREBLE devices, socket communications between core components and vendor components are
 # not permitted.
 full_treble_only(`

diff --git a/public/init.te b/public/init.te
index e997e13..6d43ef4 100644
--- a/public/init.te
+++ b/public/init.te

@@ -205,7 +205,13 @@
 
 # init should not be able to read or open generic devices
 # TODO: auditing to see if this can be deleted entirely
-allow init { dev_type -kmem_device -port_device -device }:chr_file { read open };
+allow init {
+  dev_type
+  -kmem_device
+  -port_device
+  -device
+  -vndbinder_device
+  }:chr_file { read open };
 auditallow init {
   dev_type
   -alarm_device

diff --git a/public/servicemanager.te b/public/servicemanager.te
index bba9c6e..3cf5a46 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te

@@ -9,7 +9,12 @@
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager { domain -init }:binder transfer;
+allow servicemanager {
+  domain
+  -init
+  -hwservicemanager
+  -vndservicemanager
+}:binder transfer;
 
 # Access to all (system and vendor) service_contexts
 # TODO(b/36866029) access to nonplat_service_contexts