Merge "Allow violators of "no Binder in vendor" access to /dev/binder"
diff --git a/Android.mk b/Android.mk
index d0edeab..da58e53 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1,7 +1,38 @@
LOCAL_PATH:= $(call my-dir)
include $(CLEAR_VARS)
+LOCAL_MODULE := selinux_policy
+LOCAL_MODULE_TAGS := optional
+# Include SELinux policy. We do this here because different modules
+# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# type of conditional inclusion cannot be done in top-level files such
+# as build/target/product/embedded.mk.
+# This conditional inclusion closely mimics the conditional logic
+# inside init/init.cpp for loading SELinux policy from files.
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+# Use split SELinux policy
+LOCAL_REQUIRED_MODULES += \
+ mapping_sepolicy.cil \
+ nonplat_sepolicy.cil \
+ plat_sepolicy.cil \
+ plat_sepolicy.cil.sha256 \
+ secilc \
+ nonplat_file_contexts \
+ plat_file_contexts
+# Include precompiled policy, unless told otherwise
+ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
+LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
+endif
+
+else
+# Use monolithic SELinux policy
+LOCAL_REQUIRED_MODULES += sepolicy \
+ file_contexts.bin
+endif
+include $(BUILD_PHONY_PACKAGE)
+
+include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
# Must be within the compatibility range reported by checkpolicy -V.
diff --git a/private/adbd.te b/private/adbd.te
index 9b84603..73302ac 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -71,9 +71,9 @@
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
-# Needed for Android Studio screenshot
-hwbinder_use(adbd)
-allow adbd hal_graphics_allocator:fd use;
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f971..b0048aa 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,6 +49,7 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
# Bluetooth Sim Access Profile Socket to the RIL
unix_socket_connect(bluetooth, sap_uim, rild)
diff --git a/private/system_server.te b/private/system_server.te
index 3594266..5aae022 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -508,6 +508,8 @@
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+# TODO(b/36506799): move vr_wm code to VrCore and remove this:
+allow system_server vr_window_manager_service:service_manager find;
allow system_server wificond_service:service_manager find;
allow system_server keystore:keystore_key {
diff --git a/private/tee.te b/private/tee.te
index 99f501e..01a52de 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,7 @@
typeattribute tee coredomain;
init_daemon_domain(tee)
+
+# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
+# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index 00035ab..bfd53a3 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,11 @@
# TODO(b/35870313): Remove this once there are no violations
attribute binder_in_vendor_violators;
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
# All HAL servers
attribute halserverdomain;
# All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 5cda0ec..b498cda 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -446,6 +446,51 @@
} servicemanager:binder { call transfer };
')
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
diff --git a/public/file.te b/public/file.te
index fbc4f4a..fd7b048 100644
--- a/public/file.te
+++ b/public/file.te
@@ -242,7 +242,7 @@
type rild_socket, file_type;
type rild_debug_socket, file_type;
type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type;
+type system_ndebug_socket, file_type, mlstrustedobject;
type tombstoned_crash_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type;
type uncrypt_socket, file_type;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c..5e66c8a 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,7 @@
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
allow hal_keymaster tee:unix_stream_socket connectto;
allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb..e2b6ed1 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/radio.te b/public/radio.te
index a896659..8c3c6a5 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,6 +5,7 @@
bluetooth_domain(radio)
binder_service(radio)
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
# Talks to rild via the rild socket.
unix_socket_connect(radio, rild, rild)
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa..d20063f 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -5,3 +5,5 @@
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763a..77e6609 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,6 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262..2fd5b44 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,6 @@
type hal_keymaster_default_exec, exec_type, file_type;
init_daemon_domain(hal_keymaster_default)
+
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
+typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;