Further restrict access to Binder services from vendor

This tightens neverallows for looking up Binder servicemanager services from vendor components. In particular, vendor components, other than apps, are not permitted to look up any Binder services. Vendor apps are permitted to look up only stable public API services which is exactly what non-vendor apps are permitted to use as well. If we permitted vendor apps to use non-stable/hidden Binder services, they might break when core components get updated without updating vendor components. Test: mmm system/sepolicy Bug: 35870313 Change-Id: I47d40d5d42cf4205d9e4e5e5f9d0794104efc28f

Further restrict access to Binder services from vendor
0052bc69 · Alex Klyubin · 6c4c9bea · 0052bc69
Commit 0052bc69 authored 7 years ago by Alex Klyubin
--- a/public/domain.te
+++ b/public/domain.te
@@ -442,19 +442,49 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } binder_device:chr_file rw_file_perms;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # restrictions for vendor apps are declared lower down
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } service_manager_type:service_manager find;
+  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+  # services which can change any time framework/core is updated, breakage is likely.
+  neverallow {
+    appdomain
+    -coredomain
+  } {
+    service_manager_type
+    -app_api_service
+    -ephemeral_app_api_service
+    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+    -cameraserver_service
+    -drmserver_service
+    -keystore_service
+    -mediacasserver_service
+    -mediadrmserver_service
+    -mediaextractor_service
+    -mediametrics_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -vr_manager_service
+  }:service_manager find;
  neverallow {
    domain
    -coredomain
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } servicemanager:binder { call transfer };
+')

-  ##
-  # On full TREBLE devices core android components and vendor components may
-  # not directly access each other data types. All communication must occur
-  # over HW binder. Open file descriptors may be passed and read/write/stat
-  # operations my be performed on those FDs. Disallow all other operations.
-  #
+##
+# On full TREBLE devices core android components and vendor components may
+# not directly access each other's data types. All communication must occur
+# over HW binder. Open file descriptors may be passed and read/write/stat
+# operations my be performed on those FDs. Disallow all other operations.
+full_treble_only(`
  # do not allow vendor component access to coredomains data types
  neverallow {
    domain
@@ -479,7 +509,6 @@ full_treble_only(`
    -appdomain
    -coredata_in_vendor_violators
  } system_data_file:dir ~search;
-
 ')

 # On full TREBLE devices, socket communications between core components and vendor components are