From cba70be751dee6482f3cedc8b6f9e34195c59167 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Tue, 21 Mar 2017 16:01:52 -0700
Subject: [PATCH] Initial sepolicy for vndservicemanager.
vndservicemanager is the context manager for binder services
that are solely registered and accessed from vendor processes.
Bug: 36052864
Test: vendorservicemanager runs
Change-Id: Ifbf536932678d0ff13d019635fe6347e185ef387
---
private/file_contexts | 1 +
public/device.te | 1 +
public/domain.te | 12 ++++++++----
public/te_macros | 14 ++++++++++++++
public/vndservicemanager.te | 2 ++
vendor/file_contexts | 2 +-
vendor/vndservicemanager.te | 14 ++++++++++++++
7 files changed, 41 insertions(+), 5 deletions(-)
create mode 100644 public/vndservicemanager.te
create mode 100644 vendor/vndservicemanager.te
diff --git a/private/file_contexts b/private/file_contexts
index 9a1c49676..4d6210926 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -155,6 +155,7 @@
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
diff --git a/public/device.te b/public/device.te
index c9c64dc00..53414e2cf 100644
--- a/public/device.te
+++ b/public/device.te
@@ -7,6 +7,7 @@ type audio_timer_device, dev_type;
type audio_seq_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type;
diff --git a/public/domain.te b/public/domain.te
index 9631c9c76..5f7da0bf3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,8 +66,8 @@ allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
allow domain ashmem_device:chr_file rw_file_perms;
-allow { domain -hwservicemanager } binder_device:chr_file rw_file_perms;
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
+allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+allow { domain -servicemanager -vndservicemanager } hwbinder_device:chr_file rw_file_perms;
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
@@ -410,11 +410,15 @@ neverallow {
-ueventd
} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-# Only servicemanager/hwservicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager} *:binder set_context_mgr;
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
diff --git a/public/te_macros b/public/te_macros
index 60de5684e..103b73b3e 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -313,6 +313,20 @@ get_prop($1, vold_prop)
# all domains in domain.te.
')
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
#####################################
# binder_call(clientdomain, serverdomain)
# Allow clientdomain to perform binder IPC to serverdomain.
diff --git a/public/vndservicemanager.te b/public/vndservicemanager.te
new file mode 100644
index 000000000..6b9f73dc0
--- /dev/null
+++ b/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 2c24d5fef..6e6ea371c 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -30,7 +30,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
-
+/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
# Data files
#
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
new file mode 100644
index 000000000..9357042f5
--- /dev/null
+++ b/vendor/vndservicemanager.te
@@ -0,0 +1,14 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)
--
GitLab