Reland "Re-open /dev/binder access to all."
This reverts commit 6b2eaade8201e49a746173ff13f9bd89f024eb81.
Reason for revert: reland original CL
Separate runtime infrastructure now makes sure that only Stable AIDL
interfaces are used system<->vendor.
Bug: 136027762
Change-Id: Id5ba44c36a724e2721617de721f7cffbd3b1d7b6
Test: boot device, use /dev/binder from vendor
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index d496e90..a2223b2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -250,6 +250,11 @@
-untrusted_app_visible_hwservice_violators
}:hwservice_manager find;
+neverallow all_untrusted_apps {
+ vendor_service
+ vintf_service
+}:service_manager find;
+
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
diff --git a/public/attributes b/public/attributes
index 5cada23..c5e0cba 100644
--- a/public/attributes
+++ b/public/attributes
@@ -98,6 +98,12 @@
# services which export only system_api
attribute system_api_service;
+# services which should only be available to vendor
+attribute vendor_service;
+
+# services which should be available system<->vendor
+attribute vintf_service;
+
# All types used for services managed by servicemanager.
# On change, update CHECK_SC_ASSERT_ATTRS
# definition in tools/checkfc.c.
diff --git a/public/domain.te b/public/domain.te
index e12c224..3771506 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -88,15 +88,9 @@
allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
allow { domain -coredomain -appdomain } ashmem_server: binder call;
-# /dev/binder can be accessed by non-vendor domains and by apps
-allow {
- coredomain
- appdomain
- binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- -hwservicemanager
-} binder_device:chr_file rw_file_perms;
-# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
-not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+# /dev/binder can be accessed by ... everyone! :)
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+
allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -630,31 +624,23 @@
neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
-# domain apps need this because Android framework offers many of its services to apps as Binder
-# services.
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } binder_device:chr_file rw_file_perms;
-')
+# system services cant add vendor services
+neverallow {
+ coredomain
+} vendor_service:service_manager add;
-# libcutils can probe for /dev/binder permissions with access(). Ignore
-# generated denials. See b/129073672 for details.
-dontaudit domain binder_device:chr_file audit_access;
+# vendor services cant add system services
+neverallow {
+ domain
+ -coredomain
+ -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
+} {
+ service_manager_type
+ -vendor_service
+ -vintf_service
+}:service_manager add;
full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # restrictions for vendor apps are declared lower down
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } service_manager_type:service_manager find;
-')
-full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -679,14 +665,6 @@
-vr_manager_service
}:service_manager find;
')
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain
- -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
- } servicemanager:binder { call transfer };
-')
# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
full_treble_only(`