From 2234f9ff579f9e928d868372f5bd7499e2da7bd1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 8 Apr 2015 21:30:48 -0700
Subject: [PATCH] gatekeeperd: neverallow non-system_server binder call

The current neverallow rule (compile time assertion)

  neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;

asserts that no rule is present which allows processes other than
system_server from asking servicemanager for a gatekeeperd token.

However, if system_server leaks the token to other processes, it may
be possible for those processes to access gatekeeperd directly, bypassing
servicemanager.

Add a neverallow rule to assert that no process other than system_server
are allowed to make binder calls to gatekeeperd. Even if another process
was to manage to get a binder token to gatekeeperd, it would be useless.

Remove binder_service() from gatekeeperd. The original use of the
binder_service() macro was to widely publish a binder service.
If this macro is present and the calling process has a gatekeeperd
binder token, it's implicitly possible for the following processes
to make a binder call to gatekeeperd:

 * all app processes
 * dumpstate
 * system_server
 * mediaserver
 * surfaceflinger

Removing binder_service revokes this implicit access.

Add explicit access for system_server to make binder calls to
gatekeeperd.

Add explicit access for gatekeeperd to make calls to keystore.
This was implicitly granted via binder_service() before, but now
needs to be explicit.

Change-Id: I23c1573d04ab670a42660d5922b39eecf4265b66
---
 gatekeeperd.te   | 4 +++-
 system_server.te | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/gatekeeperd.te b/gatekeeperd.te
index dfb2c7fc3..5cc7ceaf0 100644
--- a/gatekeeperd.te
+++ b/gatekeeperd.te
@@ -4,13 +4,14 @@ type gatekeeperd_exec, exec_type, file_type;
 # gatekeeperd
 init_daemon_domain(gatekeeperd)
 binder_use(gatekeeperd)
-binder_service(gatekeeperd)
 allow gatekeeperd tee_device:chr_file rw_file_perms;
 
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
 
 # Need to add auth tokens to KeyStore
+allow gatekeeperd keystore_service:service_manager find;
+binder_call(gatekeeperd, keystore)
 allow gatekeeperd keystore:keystore_key { add_auth };
 
 # For permissions checking
@@ -19,3 +20,4 @@ allow gatekeeperd permission_service:service_manager find;
 
 neverallow { domain -gatekeeperd -system_server } gatekeeper_service:service_manager find;
 neverallow { domain -gatekeeperd } gatekeeper_service:service_manager add;
+neverallow { domain -system_server } gatekeeperd:binder call;
diff --git a/system_server.te b/system_server.te
index ac7a7c753..d8e59788c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -122,6 +122,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 # Perform Binder IPC.
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
+binder_call(system_server, gatekeeperd)
 binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
-- 
GitLab