commit e95c704b6f8250b178b10bc689bb54e4cb6bfe5f
author Jiyong Park <jiyong@google.com> Thu Aug 22 00:04:50 2019 +0900
committer Jiyong Park <jiyong@google.com> Fri Sep 06 14:10:38 2019 +0900
tree f02269c8901c6bd9fcae247a94d14cffeda0dd81
parent cd1d6deaa531046ea792f5ee721aaaf6b1ef95c9

Access to HALs from untrusted apps is blacklist-based

Before this change, access to HALs from untrusted apps was prohibited
except for the whitelisted ones like the gralloc HAL, the renderscript
HAL, etc. As a result, any HAL that is added by partners can't be
accessed from apps. This sometimes is a big restriction for them when
they want to access their own HALs in the same-process HALs running in
apps. Although this is a vendor-to-vendor communication and thus is not
a Treble violation, that was not allowed because their HALs are not in
the whitelist in AOSP.

This change fixes the problem by doing the access control in the
opposite way; access to HALs are restricted only for the blacklisted
ones.

All the hwservice context that were not in the whitelist are now put
to blacklist.

This change also removes the neverallow rule for the binder access to
the halserverdomain types. This is not needed as the protected
hwservices living in the HAL processes are already not accessible; we
have a neverallow rule for preventing hwservice_manager from finding
those protected hwservices from untrusted apps.

Bug: 139645938
Test: m

Merged-In: I1e63c11143f56217eeec05e2288ae7c91e5fe585
(cherry picked from commit 580375c923d422ebf40264b0649a08488fde320c)

Change-Id: I4e611091a315ca90e3c181f77dd6a5f61d3a6468

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 05ec95c..e5c6aee 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -205,11 +205,11 @@
 # other than find actions for services listed below
 neverallow all_untrusted_apps *:hwservice_manager ~find;
 
-# Do not permit access from apps which host arbitrary code to HwBinder services,
-# except those considered sufficiently safe for access from such apps.
+# Do not permit access from apps which host arbitrary code to the protected HwBinder
+# services.
 # The two main reasons for this are:
-# 1. HwBinder servers do not perform client authentication because HIDL
-#    currently does not expose caller UID information and, even if it did, many
+# 1. Protected HwBinder servers do not perform client authentication because HIDL
+#    currently does not expose caller UID information and, even if it did, those
 #    HwBinder services either operate at a level below that of apps (e.g., HALs)
 #    or must not rely on app identity for authorization. Thus, to be safe, the
 #    default assumption is that every HwBinder service treats all its clients as
@@ -218,37 +218,7 @@
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
-#
-# Safe services include:
-# - same process services: because they by definition run in the process
-#   of the client and thus have the same access as the client domain in which
-#   the process runs
-# - coredomain_hwservice: are considered safe because they do not pose risks
-#   associated with reason #2 above.
-# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
-#   designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-#   by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-#   Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-neverallow all_untrusted_apps {
-  hwservice_manager_type
-  -fwk_bufferhub_hwservice
-  -hal_cas_hwservice
-  -hal_codec2_hwservice
-  -hal_configstore_ISurfaceFlingerConfigs
-  -hal_graphics_allocator_hwservice
-  -hal_graphics_mapper_hwservice
-  -hal_neuralnetworks_hwservice
-  -hal_omx_hwservice
-  -hal_renderscript_hwservice
-  -hidl_allocator_hwservice
-  -hidl_manager_hwservice
-  -hidl_memory_hwservice
-  -hidl_token_hwservice
-  -untrusted_app_visible_hwservice_violators
-}:hwservice_manager find;
+neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
 
 neverallow all_untrusted_apps {
   vendor_service
@@ -257,24 +227,6 @@
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 
-# Restrict *Binder access from apps to HAL domains. We can only do this on full
-# Treble devices where *Binder communications between apps and HALs are tightly
-# restricted.
-full_treble_only(`
-  neverallow all_untrusted_apps {
-    halserverdomain
-    -coredomain
-    -hal_cas_server
-    -hal_codec2_server
-    -hal_configstore_server
-    -hal_graphics_allocator_server
-    -hal_neuralnetworks_server
-    -hal_omx_server
-    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-    -untrusted_app_visible_halserver_violators
-  }:binder { call transfer };
-')
-
 # Access to /proc/tty/drivers, to allow apps to determine if they
 # are running in an emulated environment.
 # b/33214085 b/33814662 b/33791054 b/33211769