Merge "Further restrict access to Binder services from vendor" into oc-dev am: b5081ea0

am: ff61a10c Change-Id: Ie0c415ee9e79628f0048ff30d0daffbd89420f74

Merge "Further restrict access to Binder services from vendor" into oc-dev am: b5081ea0
770e6b7c · Alex Klyubin · android-build-merger · 9994cb58 · ff61a10c · 770e6b7c
Commit 770e6b7c authored 8 years ago by Alex Klyubin Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -442,19 +442,49 @@ full_treble_only(`
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } binder_device:chr_file rw_file_perms;
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # restrictions for vendor apps are declared lower down
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } service_manager_type:service_manager find;
+  # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+  # services which can change any time framework/core is updated, breakage is likely.
+  neverallow {
+    appdomain
+    -coredomain
+  } {
+    service_manager_type
+    -app_api_service
+    -ephemeral_app_api_service
+    -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+    -cameraserver_service
+    -drmserver_service
+    -keystore_service
+    -mediacasserver_service
+    -mediadrmserver_service
+    -mediaextractor_service
+    -mediametrics_service
+    -mediaserver_service
+    -nfc_service
+    -radio_service
+    -surfaceflinger_service
+    -vr_manager_service
+  }:service_manager find;
  neverallow {
    domain
    -coredomain
    -appdomain
    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
  } servicemanager:binder { call transfer };
+')
-  ##
+##
-  # On full TREBLE devices core android components and vendor components may
+# On full TREBLE devices core android components and vendor components may
-  # not directly access each other data types. All communication must occur
+# not directly access each other's data types. All communication must occur
-  # over HW binder. Open file descriptors may be passed and read/write/stat
+# over HW binder. Open file descriptors may be passed and read/write/stat
-  # operations my be performed on those FDs. Disallow all other operations.
+# operations my be performed on those FDs. Disallow all other operations.
-  #
+full_treble_only(`
  # do not allow vendor component access to coredomains data types
  neverallow {
    domain
@@ -479,7 +509,6 @@ full_treble_only(`
    -appdomain
    -coredata_in_vendor_violators
  } system_data_file:dir ~search;
 ')
 # On full TREBLE devices, socket communications between core components and vendor components are