Assert apps can access only approved HwBinder services am: 2a7f4fb0

am: 7b021be4 Change-Id: I0e93aecc3b40a3d00bfdea354fe9a4987b28fabb

Assert apps can access only approved HwBinder services am: 2a7f4fb0
18152ddc · Alex Klyubin · android-build-merger · 23d807a1 · 7b021be4 · 18152ddc
Commit 18152ddc authored 7 years ago by Alex Klyubin Committed by android-build-merger 7 years ago
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -107,3 +107,55 @@ neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
 # Locking of files on /system could lead to denial of service attacks
 # against privileged system components
 neverallow all_untrusted_apps system_file:file lock;
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+#    currently does not expose caller UID information and, even if it did, many
+#    HwBinder services either operate at a level below that of apps (e.g., HALs)
+#    or must not rely on app identity for authorization. Thus, to be safe, the
+#    default assumption is that every HwBinder service treats all its clients as
+#    equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+#    incidence rate of security issues than system/core components and have
+#    access to lower layes of the stack (all the way down to hardware) thus
+#    increasing opportunities for bypassing the Android security model.
+neverallow all_untrusted_apps {
+  hwservice_manager_type
+  # Same process services are safe because they by definition run in the process
+  # of the client and thus have the same access as the client domain in which
+  # the process runs
+  -same_process_hwservice
+  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
+  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
+  # These operations are also offered by surfaceflinger Binder service which
+  # apps are permitted to access
+  -hal_graphics_allocator_hwservice
+  # HwBinder version of mediacodec Binder service which apps were permitted to
+  # access
+  -hal_omx_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+  coredomain_hwservice
+  -same_process_hwservice
+  -hidl_allocator_hwservice # Designed for use by any domain
+  -hidl_manager_hwservice # Designed for use by any domain
+  -hidl_memory_hwservice # Designed for use by any domain
+  -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+  neverallow all_untrusted_apps {
+    halserverdomain
+    -coredomain
+    -hal_configstore_server
+    -hal_graphics_allocator_server
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  }:binder { call transfer };
+')
--- a/public/attributes
+++ b/public/attributes
@@ -94,6 +94,14 @@ attribute service_manager_type;
 # All types used for services managed by hwservicemanager
 attribute hwservice_manager_type;
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
 # All types used for services managed by vndservicemanager
 attribute vndservice_manager_type;

--- a/public/domain.te
+++ b/public/domain.te
@@ -1010,3 +1010,12 @@ neverallow {
 # Enforce AT_SECURE for executing crash_dump.
 neverallow domain crash_dump:process noatsecure;
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
--- a/public/hwservice.te
+++ b/public/hwservice.te
 type default_android_hwservice, hwservice_manager_type;
-type fwk_scheduler_hwservice, hwservice_manager_type;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hal_audio_hwservice, hwservice_manager_type;
 type hal_bluetooth_hwservice, hwservice_manager_type;
 type hal_bootctl_hwservice, hwservice_manager_type;
@@ -14,7 +14,7 @@ type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
 type hal_graphics_allocator_hwservice, hwservice_manager_type;
 type hal_graphics_composer_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_health_hwservice, hwservice_manager_type;
 type hal_ir_hwservice, hwservice_manager_type;
 type hal_keymaster_hwservice, hwservice_manager_type;
@@ -24,7 +24,7 @@ type hal_nfc_hwservice, hwservice_manager_type;
 type hal_oemlock_hwservice, hwservice_manager_type;
 type hal_omx_hwservice, hwservice_manager_type;
 type hal_power_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
 type hal_sensors_hwservice, hwservice_manager_type;
 type hal_telephony_hwservice, hwservice_manager_type;
 type hal_thermal_hwservice, hwservice_manager_type;
@@ -37,9 +37,9 @@ type hal_weaver_hwservice, hwservice_manager_type;
 type hal_wifi_hwservice, hwservice_manager_type;
 type hal_wifi_offload_hwservice, hwservice_manager_type;
 type hal_wifi_supplicant_hwservice, hwservice_manager_type;
-type hidl_allocator_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
 type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;