Merge "Ban socket connections between core and vendor"

private/bluetooth.te

@@ -49,6 +49,7 @@ allow bluetooth surfaceflinger_service:service_manager find;
 allow bluetooth app_api_service:service_manager find;
 allow bluetooth system_api_service:service_manager find;
 
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
 # Bluetooth Sim Access Profile Socket to the RIL
 unix_socket_connect(bluetooth, sap_uim, rild)
 

private/tee.te

 typeattribute tee coredomain;
 
 init_daemon_domain(tee)
+
+# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
+# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+typeattribute tee socket_between_core_and_vendor_violators;

public/attributes

@@ -122,6 +122,11 @@ attribute coredomain;
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;
 
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients

public/domain.te

@@ -441,6 +441,51 @@ full_treble_only(`
   } servicemanager:binder { call transfer };
 ')
 
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+  # Most general rules first, more specific rules below.
+
+  # Core domains are not permitted to initiate communications to vendor domain sockets.
+  # We are not restricting the use of already established sockets because it is fine for a process
+  # to obtain an already established socket via some public/official/stable API and then exchange
+  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+  # and thus does not break the core-vendor separation.
+  neverallow_establish_socket_comms({
+    coredomain
+    -init
+    -adbd
+  }, {
+    domain
+    -coredomain
+    -socket_between_core_and_vendor_violators
+  });
+  # Vendor domains are not permitted to initiate communications to core domain sockets
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -appdomain
+    -socket_between_core_and_vendor_violators
+  }, {
+    coredomain
+    -logd # Logging by writing to logd Unix domain socket is public API
+    -netd # netdomain needs this
+    -mdnsd # netdomain needs this
+    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+    -init
+    -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+    -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+  });
+
+  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -netdomain
+    -socket_between_core_and_vendor_violators
+  }, netd);
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain

public/hal_keymaster.te

@@ -2,6 +2,7 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
 allow hal_keymaster tee:unix_stream_socket connectto;
 
 allow hal_keymaster ion_device:chr_file r_file_perms;

public/neverallow_macros

@@ -4,3 +4,12 @@ define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setatt
 define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
 define(`no_x_file_perms', `{ execute execute_no_trans }')
 define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+  neverallow $1 $2:socket_class_set { connect sendto };
+  neverallow $1 $2:unix_stream_socket connectto;
+')

public/radio.te

@@ -5,6 +5,7 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
 
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
 # Talks to rild via the rild socket.
 unix_socket_connect(radio, rild, rild)
 

vendor/hal_audio_default.te

@@ -5,3 +5,5 @@ type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
 
 hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;

vendor/hal_drm_default.te

@@ -6,3 +6,6 @@ init_daemon_domain(hal_drm_default)
 
 allow hal_drm_default mediacodec:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_default socket_between_core_and_vendor_violators;

vendor/hal_keymaster_default.te

@@ -3,3 +3,6 @@ hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)
+
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
+typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;