From 76206abc9f5140e85da2d4e4845eca2c4f3a6ad5 Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Mon, 7 Jul 2014 09:27:53 -0700
Subject: [PATCH] Add neverallow rules further restricing service_manager.

Add a neverallow rule that prevents domain from adding a
default_android_service. Add a neverallow rule that prevents
untrusted_app from ever adding a service through
servicemanager.

Change-Id: I963671fb1224147bb49ec8f0b6be0dcc91c23156
---
 domain.te        | 7 +++++++
 untrusted_app.te | 5 +++++
 2 files changed, 12 insertions(+)

diff --git a/domain.te b/domain.te
index 1a3feb435..9f5ea9b6f 100644
--- a/domain.te
+++ b/domain.te
@@ -289,3 +289,10 @@ neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
 # mount to another type.
 neverallow { domain -recovery } contextmount_type:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default_android_service.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in service.te and new mappings
+# from service name to service_type are defined in service_contexts.
+neverallow domain default_android_service:service_manager add;
diff --git a/untrusted_app.te b/untrusted_app.te
index 50a02da68..35b32487e 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -71,3 +71,8 @@ allow untrusted_app cache_file:file create_file_perms;
 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow untrusted_app debugfs:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow untrusted_app service_manager_type:service_manager add;
-- 
GitLab