PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6922dfe366
android_system_sepolicy/private/app_neverallows.te

224 lines
9.3 KiB
Plaintext
Raw Normal View History

Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
###
### neverallow rules for untrusted app domains
###
untrusted_app: policy versioning based on targetSdkVersion Motivation: Provide the ability to phase in new security policies by applying them to apps with a minimum targetSdkVersion. Place untrusted apps with targetSdkVersion<=25 into the untrustd_app_25 domain. Apps with targetSdkVersion>=26 are placed into the untrusted_app domain. Common rules are included in the untrusted_app_all attribute. Apps with a more recent targetSdkVersion are granted fewer permissions. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Bug: 35323421 Change-Id: Ie6a015566fac07c44ea06c963c40793fcdc9a083
2017-02-13 13:33:27 -08:00
# Only allow domains in AOSP to use the untrusted_app_all attribute.
neverallow { untrusted_app_all -untrusted_app -untrusted_app_25 } domain:process fork;
Add untrusted_v2_app to all_untrusted_apps This was accidentally omitted from all_untrusted_app While I'm here, split across mutiple lines and alphabetize. Test: policy compiles. Change-Id: I7fe1d1d0a4ef2ed3ab010931ee2ba15637c2be51
2017-04-26 16:14:40 -07:00
define(`all_untrusted_apps',`{
ephemeral_app
isolated_app
mediaprovider
untrusted_app
untrusted_app_25
untrusted_app_all
untrusted_v2_app
}')
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Receive or send uevent messages.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Receive or send generic netlink messages
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps domain:netlink_socket *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps debugfs_type:file read;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
# services.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps service_manager_type:service_manager add;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
Assert ban on framework <-> vendor comms over VndBinder This adds neverallow rules which enforce the prohibition on communication between framework and vendor components over VendorBinder. This prohibition is similar in spirit to the one for Binder communications. Most changes consist of adding neverallow rules, which do not affect runtime behavior. The only change which does affect runtime behavior is the change which takes away the right of servicemanager domain to transfer Binder tokens to hwservicemanager and vndservicemanager. This grant was there by accident (because it was overly broad) and is not expected to be needed: servicemanager, hwservicemanager, and vndservicemanager are not supposed to be communicating with each other. P. S. The new neverallow rules in app_neverallows.te are covered by the new rules in domain.te. The rules were nevertheless added to app_neverallows.te for consistency with other *Binder rules there. Test: mmm system/sepolicy Bug: 37663632 Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
2017-04-25 09:27:54 -07:00
# Do not allow untrusted apps to use VendorBinder
neverallow all_untrusted_apps vndbinder_device:chr_file *;
neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to connect to the property service
# or set properties. b/10243159
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-10 16:57:48 -07:00
neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
# constraints. As there is no direct way to specify a neverallow
# on attribute assignment, this relies on the fact that fork
# permission only makes sense within a domain (hence should
# never be granted to any other domain within mlstrustedsubject)
# and an untrusted app is allowed fork permission to itself.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps mlstrustedsubject:process fork;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to hard link to any files.
# In particular, if an untrusted app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted apps never have this
# capability.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps file_type:file link;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to access network MAC address file
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
neverallow all_untrusted_apps *:{
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
socket netlink_socket packet_socket key_socket appletalk_socket
Remove obsolete netlink_firewall_socket and netlink_ip6fw_socket classes. The implementation for NETLINK_FIREWALL and NETLINK_IP6_FW protocols was removed from the kernel in commit d16cf20e2f2f13411eece7f7fb72c17d141c4a84 ("netfilter: remove ip_queue support") circa Linux 3.5. Unless we need to retain compatibility for kernels < 3.5, we can drop these classes from the policy altogether. Possibly the neverallow rule in app.te should be augmented to include the newer netlink security classes, similar to webview_zygote, but that can be a separate change. Test: policy builds Change-Id: Iab9389eb59c96772e5fa87c71d0afc86fe99bb6b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2017-02-06 11:14:58 -08:00
netlink_tcpdiag_socket netlink_nflog_socket
netlink_xfrm_socket netlink_audit_socket
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
netlink_rdma_socket netlink_crypto_socket
} *;
# Do not allow untrusted apps access to /cache
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-10 16:57:48 -07:00
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to create/unlink files outside of its sandbox,
# internal storage or sdcard.
# World accessible data locations allow application to fill the device
# with unaccounted for data. This data will not get removed during
# application un-installation.
Split mediaprovider as a separate domain from priv_app MediaProvider requires permissions that diverge from those of a typical priv_app. This create a new domain and removes Mtp related permissions from priv_app. Bug: 33574909 Test: Connect with MTP, download apps and files, select ringtones Test: DownloadProvider instrument tests, CtsProviderTestCases Change-Id: I950dc11f21048c34af639cb3ab81873d2a6730a9
2017-04-10 16:57:48 -07:00
neverallow { all_untrusted_apps -mediaprovider } {
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
fs_type
-fuse # sdcard
-sdcardfs # sdcard
-vfat
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
# leave artfacts here after uninstall.
-user_profile_data_file # Access to profile files
userdebug_or_eng(`
-method_trace_data_file # only on ro.debuggable=1
-coredump_file # userdebug/eng only
')
}:dir_file_class_set { create unlink };
relax fuse_device neverallow rules The fuse_device neverallow rules are too aggressive and are inhibiting certain vendor customizations. Relax the /dev/fuse neverallow rules so that they better reflect the security invariants we want to uphold. Bug: 37496487 Test: policy compiles. Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
2017-04-26 11:40:48 -07:00
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Do not allow untrusted apps to directly open tun_device
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps tun_device:chr_file open;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
neverallow all_untrusted_apps anr_data_file:dir ~search;
Move neverallows from untrusted_app.te to app_neverallows.te The neverallows in untrusted_app will all apply equally to ephemeral app and any other untrusted app domains we may add, so this moves them to a dedicated separate file. This also removes the duplicate rules from isolated_app.te and ensures that all the untrusted_app neverallows also apply to isolated_app. Test: builds Change-Id: Ib38e136216ccbe5c94daab732b7ee6acfad25d0b
2017-01-27 15:53:38 -08:00
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
Add new untrusted_v2_app domain untrusted_v2_app is basically a refinement of untrusted_app with legacy capabilities removed and potentially backwards incompatible changes. This is not currently hooked up to anything. Bug: 33350220 Test: builds Change-Id: Ic9fad57476bc2b6022b1eaca8667bf6d844753c2
2017-02-06 10:31:45 -08:00
neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 11:42:03 -07:00
Do not allow untrusted apps any access to kernel configuration Bug: 37541374 Test: Build and boot sailfish Change-Id: I8afe9463070cca45b3f1029cc168a3bf00ed7cdc Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-21 11:25:29 -07:00
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
Split preloads into media_file and data_file Untrusted apps should only access /data/preloads/media and demo directory. Bug: 36197686 Test: Verified retail mode. Checked non-privileged APK cannot access /data/preloads Change-Id: I8e9c21ff6aba799aa31bf06893cdf60dafc04446
2017-03-14 11:42:03 -07:00
# Do not allow untrusted apps access to preloads data files
neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
app.te: prevent locks of files on /system Prevent app domains (processes spawned by zygote) from acquiring locks on files in /system. In particular, /system/etc/xtables.lock must never be lockable by applications, as it will block future iptables commands from running. Test: device boots and no obvious problems. Change-Id: Ifd8dc7b117cf4a622b30fd4fffbcab1b76c4421b
2017-03-22 10:35:24 -07:00
# Locking of files on /system could lead to denial of service attacks
# against privileged system components
neverallow all_untrusted_apps system_file:file lock;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-21 17:06:43 -07:00
Assert untrusted apps can't add or list hwservicemanager This adds a neverallow rules which checks that SELinux app domains which host arbitrary code are not allowed to access hwservicemanager operations other than "find" operation for which there already are strict neverallow rules in the policy. Test: mmm system/sepolicy -- neverallow-only change Bug: 34454312 Change-Id: I3b80c6ae2c254495704e0409e0c5c88f6ce3a6a7
2017-04-24 15:09:19 -07:00
# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-21 17:06:43 -07:00
# Do not permit access from apps which host arbitrary code to HwBinder services,
# except those considered sufficiently safe for access from such apps.
# The two main reasons for this are:
# 1. HwBinder servers do not perform client authentication because HIDL
# currently does not expose caller UID information and, even if it did, many
# HwBinder services either operate at a level below that of apps (e.g., HALs)
# or must not rely on app identity for authorization. Thus, to be safe, the
# default assumption is that every HwBinder service treats all its clients as
# equally authorized to perform operations offered by the service.
# 2. HAL servers (a subset of HwBinder services) contain code with higher
# incidence rate of security issues than system/core components and have
# access to lower layes of the stack (all the way down to hardware) thus
# increasing opportunities for bypassing the Android security model.
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 10:00:32 -07:00
#
# Safe services include:
# - same process services: because they by definition run in the process
# of the client and thus have the same access as the client domain in which
# the process runs
# - coredomain_hwservice: are considered safe because they do not pose risks
# associated with reason #2 above.
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
# designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-21 17:06:43 -07:00
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 10:00:32 -07:00
-coredomain_hwservice
-hal_configstore_ISurfaceFlingerConfigs
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-21 17:06:43 -07:00
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
Remove neverallow preventing hwservice access for apps. Same-process HALs are forbidden except for very specific HALs that have been provided and whitelisted by AOSP. As a result, a vendor extension HAL may have a need to be accessed by untrusted_app. This is still discouraged, and the existing AOSP hwservices are still forbidden, but remove the blanket prohibition. Also indicate that this is temporary, and that partners should expect to get exceptions to the rule into AOSP in the future. Bug: 62806062 Test: neverallow-only change builds. Verify new attribute is in policy. Change-Id: I6d3e659147d509a3503c2c9e0b6bb9016cc75832
2017-06-21 10:00:32 -07:00
-untrusted_app_visible_hwservice
}:hwservice_manager find;
neverallow untrusted_app_visible_hwservice unlabeled:service_manager list; #TODO: b/62658302
# Make sure that the following services are never accessible by untrusted_apps
neverallow all_untrusted_apps {
default_android_hwservice
hal_audio_hwservice
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
hal_fingerprint_hwservice
hal_gatekeeper_hwservice
hal_gnss_hwservice
hal_graphics_composer_hwservice
hal_health_hwservice
hal_ir_hwservice
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
hal_tv_cec_hwservice
hal_tv_input_hwservice
hal_usb_hwservice
hal_vibrator_hwservice
hal_vr_hwservice
hal_weaver_hwservice
hal_wifi_hwservice
hal_wifi_supplicant_hwservice
hidl_base_hwservice
Assert apps can access only approved HwBinder services App domains which host arbitrary code must not have access to arbitrary HwBinder services. Such access unnecessarily increases the attack surface. The reason is twofold: 1. HwBinder servers do not perform client authentication because HIDL currently does not expose caller UID information and, even if it did, many HwBinder services either operate at a layer below that of apps (e.g., HALs) or must not rely on app identity for authorization. Thus, to be safe, the default assumption is that a HwBinder service treats all its clients as equally authorized to perform operations offered by the service. 2. HAL servers (a subset of HwBinder services) contain code with higher incidence rate of security issues than system/core components and have access to lower layes of the stack (all the way down to hardware) thus increasing opportunities for bypassing the Android security model. HwBinder services offered by core components (as opposed to vendor components) are considered safer because of point #2 above. Always same-process aka always-passthrough HwBinder services are considered safe for access by these apps. This is because these HALs by definition do not offer any additional access beyond what its client already as, because these services run in the process of the client. This commit thus introduces these two categories of HwBinder services in neverallow rules. Test: mmm system/sepolicy -- this does not change on-device policy Bug: 34454312 Change-Id: I4f5f4dd10b3fc3bb9d262dda532d4a23dcdf061d
2017-04-21 17:06:43 -07:00
}:hwservice_manager find;
# HwBinder services offered by core components (as opposed to vendor components)
# are considered somewhat safer due to point #2 above.
neverallow all_untrusted_apps {
coredomain_hwservice
-same_process_hwservice
-hidl_allocator_hwservice # Designed for use by any domain
-hidl_manager_hwservice # Designed for use by any domain
-hidl_memory_hwservice # Designed for use by any domain
-hidl_token_hwservice # Designed for use by any domain
}:hwservice_manager find;
# Restrict *Binder access from apps to HAL domains. We can only do this on full
# Treble devices where *Binder communications between apps and HALs are tightly
# restricted.
full_treble_only(`
neverallow all_untrusted_apps {
halserverdomain
-coredomain
-hal_configstore_server
-hal_graphics_allocator_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
}:binder { call transfer };
')
Reference in New Issue Copy Permalink