Skip to content
Snippets Groups Projects
Commit e9a8b752 authored by android-build-team Robot's avatar android-build-team Robot
Browse files

release-request-767e2998-9243-43e0-b656-1acb30ac5115-for-git_oc-release-412463...

release-request-767e2998-9243-43e0-b656-1acb30ac5115-for-git_oc-release-4124637 snap-temp-L74200000076595014

Change-Id: Ic312ff1e4b6c00cb56b9bc065313b1b0f70c8997
parents f23b2ddd 0e0ed156
No related branches found
No related tags found
No related merge requests found
...@@ -132,20 +132,63 @@ neverallow all_untrusted_apps *:hwservice_manager ~find; ...@@ -132,20 +132,63 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
# incidence rate of security issues than system/core components and have # incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus # access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model. # increasing opportunities for bypassing the Android security model.
neverallow all_untrusted_apps { #
hwservice_manager_type # Safe services include:
# Same process services are safe because they by definition run in the process # - same process services: because they by definition run in the process
# of the client and thus have the same access as the client domain in which # of the client and thus have the same access as the client domain in which
# the process runs # the process runs
# - coredomain_hwservice: are considered safe because they do not pose risks
# associated with reason #2 above.
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
# designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice -same_process_hwservice
-coredomain_hwservice # neverallows for coredomain HwBinder services are below -coredomain_hwservice
-hal_configstore_ISurfaceFlingerConfigs # Designed for use by any domain -hal_configstore_ISurfaceFlingerConfigs
# These operations are also offered by surfaceflinger Binder service which
# apps are permitted to access
-hal_graphics_allocator_hwservice -hal_graphics_allocator_hwservice
# HwBinder version of mediacodec Binder service which apps were permitted to
# access
-hal_omx_hwservice -hal_omx_hwservice
-untrusted_app_visible_hwservice
}:hwservice_manager find;
neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
# Make sure that the following services are never accessible by untrusted_apps
neverallow all_untrusted_apps {
default_android_hwservice
hal_audio_hwservice
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
hal_fingerprint_hwservice
hal_gatekeeper_hwservice
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
hal_tv_cec_hwservice
hal_tv_input_hwservice
hal_usb_hwservice
hal_vibrator_hwservice
hal_vr_hwservice
hal_weaver_hwservice
hal_wifi_hwservice
hal_wifi_supplicant_hwservice
hidl_base_hwservice
}:hwservice_manager find; }:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components) # HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above. # are considered somewhat safer due to point #2 above.
......
...@@ -144,6 +144,15 @@ attribute socket_between_core_and_vendor_violators; ...@@ -144,6 +144,15 @@ attribute socket_between_core_and_vendor_violators;
# TODO(b/36463595) # TODO(b/36463595)
attribute vendor_executes_system_violators; attribute vendor_executes_system_violators;
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
# transition to treble and will be removed in a future platform
# version, requiring all hwservices that are labeled with this
# attribute to be submitted to AOSP in order to maintain their
# app-visibility.
attribute untrusted_app_visible_hwservice;
# PDX services # PDX services
attribute pdx_endpoint_dir_type; attribute pdx_endpoint_dir_type;
attribute pdx_endpoint_socket_type; attribute pdx_endpoint_socket_type;
......
...@@ -8,10 +8,11 @@ neverallow { ...@@ -8,10 +8,11 @@ neverallow {
-rild -rild
} self:capability { net_admin net_raw }; } self:capability { net_admin net_raw };
# Unless a HAL's job is to manage network hardware, it should not be # Unless a HAL's job is to communicate over the network, or control network
# using network sockets. # hardware, it should not be using network sockets.
neverallow { neverallow {
halserverdomain halserverdomain
-hal_tetheroffload_server
-hal_wifi_server -hal_wifi_server
-hal_wifi_supplicant_server -hal_wifi_supplicant_server
-rild -rild
......
...@@ -2,7 +2,3 @@ ...@@ -2,7 +2,3 @@
# public, but conceptually should go with this # public, but conceptually should go with this
type rild_exec, exec_type, vendor_file_type, file_type; type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild) init_daemon_domain(rild)
# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
# communicates with non-vendor components over sockets.
typeattribute rild socket_between_core_and_vendor_violators;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment