From 9ce99e3908fcd81430bc9612e5d86819939b6db2 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 16 Nov 2012 09:17:54 -0500
Subject: [PATCH] Update binder-related  policy.

The binder_transfer_binder hook was changed in the kernel, obsoleting
the receive permission and changing the target of the transfer permission.
Update the binder-related policy to match the revised permission checking.

Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 access_vectors    |  1 -
 app.te            |  2 --
 mediaserver.te    |  1 -
 servicemanager.te |  2 +-
 surfaceflinger.te |  1 +
 system.te         |  4 ----
 te_macros         | 19 ++++++-------------
 unconfined.te     |  2 +-
 8 files changed, 9 insertions(+), 23 deletions(-)

diff --git a/access_vectors b/access_vectors
index 4de34631c..b039b0b67 100644
--- a/access_vectors
+++ b/access_vectors
@@ -871,7 +871,6 @@ class binder
 	call
 	set_context_mgr
 	transfer
-	receive
 }
 
 class zygote
diff --git a/app.te b/app.te
index 65d710a07..de7b7d05d 100644
--- a/app.te
+++ b/app.te
@@ -188,10 +188,8 @@ allow appdomain qtaguid_device:chr_file r_file_perms;
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
-binder_transfer(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
-binder_transfer(appdomain, appdomain)
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)
diff --git a/mediaserver.te b/mediaserver.te
index f5274d95c..f941c6a63 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -13,7 +13,6 @@ r_dir_file(mediaserver, sdcard)
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
-binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 
 allow mediaserver kernel:system module_request;
diff --git a/servicemanager.te b/servicemanager.te
index fefbe080d..a78a485bb 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -11,4 +11,4 @@ init_daemon_domain(servicemanager)
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder { receive transfer };
+allow servicemanager domain:binder transfer;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 10a57ee93..30b181688 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -12,6 +12,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system)
 binder_service(surfaceflinger)
+allow surfaceflinger init:binder transfer;
 
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
diff --git a/system.te b/system.te
index 192b14fbe..7e207c3ae 100644
--- a/system.te
+++ b/system.te
@@ -8,7 +8,6 @@ app_domain(system_app)
 
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)
-binder_transfer(system_app, appdomain)
 
 # Read and write system data files.
 # May want to split into separate types.
@@ -121,9 +120,6 @@ binder_use(system)
 binder_call(system, binderservicedomain)
 binder_call(system, appdomain)
 binder_service(system)
-# Transfer other Binder references.
-binder_transfer(system, binderservicedomain)
-binder_transfer(system, appdomain)
 
 # Read /proc/pid files for Binder clients.
 r_dir_file(system, appdomain)
diff --git a/te_macros b/te_macros
index 6354496ad..7883c40ec 100644
--- a/te_macros
+++ b/te_macros
@@ -152,10 +152,8 @@ allow $1 $3:unix_dgram_socket sendto;
 # binder_use(domain)
 # Allow domain to use Binder IPC.
 define(`binder_use', `
-# Get Binder references from the servicemanager.
-allow $1 servicemanager:binder call;
-# Transfer and receive own Binder references.
-allow $1 self:binder { transfer receive };
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
 # Map /dev/ashmem with PROT_EXEC.
 allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
@@ -166,19 +164,14 @@ allow $1 ashmem_device:chr_file execute;
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `
-# First we receive a Binder ref to the server, then we call it.
-allow $1 $2:binder { receive call };
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
 # Receive and use open files from the server.
 allow $1 $2:fd use;
 ')
 
-#####################################
-# binder_transfer(clientdomain, serverdomain)
-# Allow clientdomain to transfer Binder references created by serverdomain.
-define(`binder_transfer', `
-allow $1 $2:binder transfer;
-')
-
 #####################################
 # binder_service(domain)
 # Mark a domain as being a Binder service domain.
diff --git a/unconfined.te b/unconfined.te
index ff5359577..e016584a3 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,5 +20,5 @@ allow unconfineddomain netif_type:netif *;
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain domain:binder { call transfer };
 allow unconfineddomain property_type:property_service set;
-- 
GitLab