From 55c7750482e20029ba05918ea95249f2d0cd7fcf Mon Sep 17 00:00:00 2001
From: Dan Cashman <dcashman@google.com>
Date: Thu, 22 Jun 2017 14:32:21 -0700
Subject: [PATCH] Update sepolicy 26.0 prebuilts again, again.

Bug: 37896931
Test: none, just prebuilt update.
Change-Id: I55b5179f98703026699a59cce4b2e1afb166fd1d
---
 prebuilts/api/26.0/private/app_neverallows.te | 61 ++++++++++++++++---
 prebuilts/api/26.0/public/attributes          |  9 +++
 prebuilts/api/26.0/public/hal_neverallows.te  |  5 +-
 prebuilts/api/26.0/public/runas.te            |  1 +
 4 files changed, 65 insertions(+), 11 deletions(-)

diff --git a/prebuilts/api/26.0/private/app_neverallows.te b/prebuilts/api/26.0/private/app_neverallows.te
index 09177240e..3c159d5f1 100644
--- a/prebuilts/api/26.0/private/app_neverallows.te
+++ b/prebuilts/api/26.0/private/app_neverallows.te
@@ -132,20 +132,63 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
 #    incidence rate of security issues than system/core components and have
 #    access to lower layes of the stack (all the way down to hardware) thus
 #    increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+#   of the client and thus have the same access as the client domain in which
+#   the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+#   associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
+#   designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+#   by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+#   Binder service which apps were permitted to access.
 neverallow all_untrusted_apps {
   hwservice_manager_type
-  # Same process services are safe because they by definition run in the process
-  # of the client and thus have the same access as the client domain in which
-  # the process runs
   -same_process_hwservice
-  -coredomain_hwservice # neverallows for coredomain HwBinder services are below
-  -hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain
-  # These operations are also offered by surfaceflinger Binder service which
-  # apps are permitted to access
+  -coredomain_hwservice
+  -hal_configstore_ISurfaceFlingerConfigs
   -hal_graphics_allocator_hwservice
-  # HwBinder version of mediacodec Binder service which apps were permitted to
-  # access
   -hal_omx_hwservice
+  -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+  default_android_hwservice
+  hal_audio_hwservice
+  hal_bluetooth_hwservice
+  hal_bootctl_hwservice
+  hal_camera_hwservice
+  hal_contexthub_hwservice
+  hal_drm_hwservice
+  hal_dumpstate_hwservice
+  hal_fingerprint_hwservice
+  hal_gatekeeper_hwservice
+  hal_gnss_hwservice
+  hal_graphics_composer_hwservice
+  hal_health_hwservice
+  hal_ir_hwservice
+  hal_keymaster_hwservice
+  hal_light_hwservice
+  hal_memtrack_hwservice
+  hal_nfc_hwservice
+  hal_oemlock_hwservice
+  hal_power_hwservice
+  hal_sensors_hwservice
+  hal_telephony_hwservice
+  hal_thermal_hwservice
+  hal_tv_cec_hwservice
+  hal_tv_input_hwservice
+  hal_usb_hwservice
+  hal_vibrator_hwservice
+  hal_vr_hwservice
+  hal_weaver_hwservice
+  hal_wifi_hwservice
+  hal_wifi_supplicant_hwservice
+  hidl_base_hwservice
 }:hwservice_manager find;
 # HwBinder services offered by core components (as opposed to vendor components)
 # are considered somewhat safer due to point #2 above.
diff --git a/prebuilts/api/26.0/public/attributes b/prebuilts/api/26.0/public/attributes
index 90740d456..cde55da19 100644
--- a/prebuilts/api/26.0/public/attributes
+++ b/prebuilts/api/26.0/public/attributes
@@ -144,6 +144,15 @@ attribute socket_between_core_and_vendor_violators;
 # TODO(b/36463595)
 attribute vendor_executes_system_violators;
 
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary.  It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+
 # PDX services
 attribute pdx_endpoint_dir_type;
 attribute pdx_endpoint_socket_type;
diff --git a/prebuilts/api/26.0/public/hal_neverallows.te b/prebuilts/api/26.0/public/hal_neverallows.te
index feadcdadb..036e1d2dc 100644
--- a/prebuilts/api/26.0/public/hal_neverallows.te
+++ b/prebuilts/api/26.0/public/hal_neverallows.te
@@ -8,10 +8,11 @@ neverallow {
   -rild
 } self:capability { net_admin net_raw };
 
-# Unless a HAL's job is to manage network hardware, it should not be
-# using network sockets.
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
 neverallow {
   halserverdomain
+  -hal_tetheroffload_server
   -hal_wifi_server
   -hal_wifi_supplicant_server
   -rild
diff --git a/prebuilts/api/26.0/public/runas.te b/prebuilts/api/26.0/public/runas.te
index cda02efab..7a7febfc0 100644
--- a/prebuilts/api/26.0/public/runas.te
+++ b/prebuilts/api/26.0/public/runas.te
@@ -2,6 +2,7 @@ type runas, domain, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
 allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
 allow runas shell:fd use;
 allow runas shell:fifo_file { read write };
 allow runas shell:unix_stream_socket { read write };
-- 
GitLab