From 580375c923d422ebf40264b0649a08488fde320c Mon Sep 17 00:00:00 2001 From: Jiyong Park Date: Thu, 22 Aug 2019 00:04:50 +0900 Subject: [PATCH] Access to HALs from untrusted apps is blacklist-based Before this change, access to HALs from untrusted apps was prohibited except for the whitelisted ones like the gralloc HAL, the renderscript HAL, etc. As a result, any HAL that is added by partners can't be accessed from apps. This sometimes is a big restriction for them when they want to access their own HALs in the same-process HALs running in apps. Although this is a vendor-to-vendor communication and thus is not a Treble violation, that was not allowed because their HALs are not in the whitelist in AOSP. This change fixes the problem by doing the access control in the opposite way; access to HALs are restricted only for the blacklisted ones. All the hwservice context that were not in the whitelist are now put to blacklist. This change also removes the neverallow rule for the binder access to the halserverdomain types. This is not needed as the protected hwservices living in the HAL processes are already not accessible; we have a neverallow rule for preventing hwservice_manager from finding those protected hwservices from untrusted apps. Bug: 139645938 Test: m Change-Id: I1e63c11143f56217eeec05e2288ae7c91e5fe585 --- private/app_neverallows.te | 58 ++-------------- public/attributes | 3 + public/hwservice.te | 139 +++++++++++++++++++++---------------- 3 files changed, 86 insertions(+), 114 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index 05ec95cc0..e5c6aee2c 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -205,11 +205,11 @@ neverallow all_untrusted_apps system_file:file lock; # other than find actions for services listed below neverallow all_untrusted_apps *:hwservice_manager ~find; -# Do not permit access from apps which host arbitrary code to HwBinder services, -# except those considered sufficiently safe for access from such apps. +# Do not permit access from apps which host arbitrary code to the protected HwBinder +# services. # The two main reasons for this are: -# 1. HwBinder servers do not perform client authentication because HIDL -# currently does not expose caller UID information and, even if it did, many +# 1. Protected HwBinder servers do not perform client authentication because HIDL +# currently does not expose caller UID information and, even if it did, those # HwBinder services either operate at a level below that of apps (e.g., HALs) # or must not rely on app identity for authorization. Thus, to be safe, the # default assumption is that every HwBinder service treats all its clients as @@ -218,37 +218,7 @@ neverallow all_untrusted_apps *:hwservice_manager ~find; # incidence rate of security issues than system/core components and have # access to lower layes of the stack (all the way down to hardware) thus # increasing opportunities for bypassing the Android security model. -# -# Safe services include: -# - same process services: because they by definition run in the process -# of the client and thus have the same access as the client domain in which -# the process runs -# - coredomain_hwservice: are considered safe because they do not pose risks -# associated with reason #2 above. -# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been -# designed for use by any domain. -# - hal_graphics_allocator_hwservice: because these operations are also offered -# by surfaceflinger Binder service, which apps are permitted to access -# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec -# Binder service which apps were permitted to access. -# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. -neverallow all_untrusted_apps { - hwservice_manager_type - -fwk_bufferhub_hwservice - -hal_cas_hwservice - -hal_codec2_hwservice - -hal_configstore_ISurfaceFlingerConfigs - -hal_graphics_allocator_hwservice - -hal_graphics_mapper_hwservice - -hal_neuralnetworks_hwservice - -hal_omx_hwservice - -hal_renderscript_hwservice - -hidl_allocator_hwservice - -hidl_manager_hwservice - -hidl_memory_hwservice - -hidl_token_hwservice - -untrusted_app_visible_hwservice_violators -}:hwservice_manager find; +neverallow all_untrusted_apps protected_hwservice:hwservice_manager find; neverallow all_untrusted_apps { vendor_service @@ -257,24 +227,6 @@ neverallow all_untrusted_apps { # SELinux is not an API for untrusted apps to use neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; -# Restrict *Binder access from apps to HAL domains. We can only do this on full -# Treble devices where *Binder communications between apps and HALs are tightly -# restricted. -full_treble_only(` - neverallow all_untrusted_apps { - halserverdomain - -coredomain - -hal_cas_server - -hal_codec2_server - -hal_configstore_server - -hal_graphics_allocator_server - -hal_neuralnetworks_server - -hal_omx_server - -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone - -untrusted_app_visible_halserver_violators - }:binder { call transfer }; -') - # Access to /proc/tty/drivers, to allow apps to determine if they # are running in an emulated environment. # b/33214085 b/33814662 b/33791054 b/33211769 diff --git a/public/attributes b/public/attributes index 3bf04cf5f..62ccd4a26 100644 --- a/public/attributes +++ b/public/attributes @@ -120,6 +120,9 @@ attribute same_process_hwservice; # All HwBinder services guaranteed to be offered only by core domain components attribute coredomain_hwservice; +# All HwBinder services that untrusted apps can't directly access +attribute protected_hwservice; + # All types used for services managed by vndservicemanager attribute vndservice_manager_type; diff --git a/public/hwservice.te b/public/hwservice.te index 7d395d95f..b86dcd734 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -1,77 +1,94 @@ -type default_android_hwservice, hwservice_manager_type; +# hwservice types. By default most of the HALs are protected_hwservice, which means +# access from untrusted apps is prohibited. +type default_android_hwservice, hwservice_manager_type, protected_hwservice; +type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice; +type hal_audio_hwservice, hwservice_manager_type, protected_hwservice; +type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice; +type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice; +type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice; +type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice; +type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice; +type hal_camera_hwservice, hwservice_manager_type, protected_hwservice; +type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice; +type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice; +type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice; +type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice; +type hal_drm_hwservice, hwservice_manager_type, protected_hwservice; +type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice; +type hal_evs_hwservice, hwservice_manager_type, protected_hwservice; +type hal_face_hwservice, hwservice_manager_type, protected_hwservice; +type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice; +type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice; +type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice; +type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice; +type hal_health_hwservice, hwservice_manager_type, protected_hwservice; +type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice; +type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice; +type hal_ir_hwservice, hwservice_manager_type, protected_hwservice; +type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice; +type hal_light_hwservice, hwservice_manager_type, protected_hwservice; +type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice; +type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice; +type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice; +type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice; +type hal_power_hwservice, hwservice_manager_type, protected_hwservice; +type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice; +type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice; +type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice; +type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice; +type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice; +type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice; +type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice; +type hal_usb_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice; +type hal_vr_hwservice, hwservice_manager_type, protected_hwservice; +type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice; +type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice; +type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice; +type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice; + +# Following is the hwservices that are explicitly not marked with protected_hwservice. +# These are directly accessible from untrusted apps. +# - same process services: because they by definition run in the process +# of the client and thus have the same access as the client domain in which +# the process runs +# - coredomain_hwservice: are considered safer than ordinary hwservices which +# are from vendor partition +# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been +# designed for use by any domain. +# - hal_graphics_allocator_hwservice: because these operations are also offered +# by surfaceflinger Binder service, which apps are permitted to access +# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec +# Binder service which apps were permitted to access. +# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice; -type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice; -type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice; -type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice; -type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice; -type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice; -type hal_atrace_hwservice, hwservice_manager_type; -type hal_audiocontrol_hwservice, hwservice_manager_type; -type hal_audio_hwservice, hwservice_manager_type; -type hal_authsecret_hwservice, hwservice_manager_type; -type hal_bluetooth_hwservice, hwservice_manager_type; -type hal_bootctl_hwservice, hwservice_manager_type; -type hal_broadcastradio_hwservice, hwservice_manager_type; -type hal_camera_hwservice, hwservice_manager_type; -type hal_can_bus_hwservice, hwservice_manager_type; -type hal_can_controller_hwservice, hwservice_manager_type; +type hal_cas_hwservice, hwservice_manager_type; type hal_codec2_hwservice, hwservice_manager_type; type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type; -type hal_confirmationui_hwservice, hwservice_manager_type; -type hal_contexthub_hwservice, hwservice_manager_type; -type hal_drm_hwservice, hwservice_manager_type; -type hal_cas_hwservice, hwservice_manager_type; -type hal_dumpstate_hwservice, hwservice_manager_type; -type hal_evs_hwservice, hwservice_manager_type; -type hal_face_hwservice, hwservice_manager_type; -type hal_fingerprint_hwservice, hwservice_manager_type; -type hal_gatekeeper_hwservice, hwservice_manager_type; -type hal_gnss_hwservice, hwservice_manager_type; type hal_graphics_allocator_hwservice, hwservice_manager_type; -type hal_graphics_composer_hwservice, hwservice_manager_type; type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice; -type hal_health_hwservice, hwservice_manager_type; -type hal_health_storage_hwservice, hwservice_manager_type; -type hal_input_classifier_hwservice, hwservice_manager_type; -type hal_ir_hwservice, hwservice_manager_type; -type hal_keymaster_hwservice, hwservice_manager_type; -type hal_light_hwservice, hwservice_manager_type; -type hal_lowpan_hwservice, hwservice_manager_type; -type hal_memtrack_hwservice, hwservice_manager_type; type hal_neuralnetworks_hwservice, hwservice_manager_type; -type hal_nfc_hwservice, hwservice_manager_type; -type hal_oemlock_hwservice, hwservice_manager_type; type hal_omx_hwservice, hwservice_manager_type; -type hal_power_hwservice, hwservice_manager_type; -type hal_power_stats_hwservice, hwservice_manager_type; type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice; -type hal_secure_element_hwservice, hwservice_manager_type; -type hal_sensors_hwservice, hwservice_manager_type; -type hal_telephony_hwservice, hwservice_manager_type; -type hal_tetheroffload_hwservice, hwservice_manager_type; -type hal_thermal_hwservice, hwservice_manager_type; -type hal_tv_cec_hwservice, hwservice_manager_type; -type hal_tv_input_hwservice, hwservice_manager_type; -type hal_tv_tuner_hwservice, hwservice_manager_type; -type hal_usb_hwservice, hwservice_manager_type; -type hal_usb_gadget_hwservice, hwservice_manager_type; -type hal_vehicle_hwservice, hwservice_manager_type; -type hal_vibrator_hwservice, hwservice_manager_type; -type hal_vr_hwservice, hwservice_manager_type; -type hal_weaver_hwservice, hwservice_manager_type; -type hal_wifi_hwservice, hwservice_manager_type; -type hal_wifi_hostapd_hwservice, hwservice_manager_type; -type hal_wifi_supplicant_hwservice, hwservice_manager_type; type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_base_hwservice, hwservice_manager_type; type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice; type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice; -type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice; -type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice; -type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice; -type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice; -type thermalcallback_hwservice, hwservice_manager_type; ### ### Neverallow rules