Merge "Access to HALs from untrusted apps is blacklist-based"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
aa31e64e83
@ -205,11 +205,11 @@ neverallow all_untrusted_apps system_file:file lock;
|
||||
# other than find actions for services listed below
|
||||
neverallow all_untrusted_apps *:hwservice_manager ~find;
|
||||
|
||||
# Do not permit access from apps which host arbitrary code to HwBinder services,
|
||||
# except those considered sufficiently safe for access from such apps.
|
||||
# Do not permit access from apps which host arbitrary code to the protected HwBinder
|
||||
# services.
|
||||
# The two main reasons for this are:
|
||||
# 1. HwBinder servers do not perform client authentication because HIDL
|
||||
# currently does not expose caller UID information and, even if it did, many
|
||||
# 1. Protected HwBinder servers do not perform client authentication because HIDL
|
||||
# currently does not expose caller UID information and, even if it did, those
|
||||
# HwBinder services either operate at a level below that of apps (e.g., HALs)
|
||||
# or must not rely on app identity for authorization. Thus, to be safe, the
|
||||
# default assumption is that every HwBinder service treats all its clients as
|
||||
@ -218,37 +218,7 @@ neverallow all_untrusted_apps *:hwservice_manager ~find;
|
||||
# incidence rate of security issues than system/core components and have
|
||||
# access to lower layes of the stack (all the way down to hardware) thus
|
||||
# increasing opportunities for bypassing the Android security model.
|
||||
#
|
||||
# Safe services include:
|
||||
# - same process services: because they by definition run in the process
|
||||
# of the client and thus have the same access as the client domain in which
|
||||
# the process runs
|
||||
# - coredomain_hwservice: are considered safe because they do not pose risks
|
||||
# associated with reason #2 above.
|
||||
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
|
||||
# designed for use by any domain.
|
||||
# - hal_graphics_allocator_hwservice: because these operations are also offered
|
||||
# by surfaceflinger Binder service, which apps are permitted to access
|
||||
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
|
||||
# Binder service which apps were permitted to access.
|
||||
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
|
||||
neverallow all_untrusted_apps {
|
||||
hwservice_manager_type
|
||||
-fwk_bufferhub_hwservice
|
||||
-hal_cas_hwservice
|
||||
-hal_codec2_hwservice
|
||||
-hal_configstore_ISurfaceFlingerConfigs
|
||||
-hal_graphics_allocator_hwservice
|
||||
-hal_graphics_mapper_hwservice
|
||||
-hal_neuralnetworks_hwservice
|
||||
-hal_omx_hwservice
|
||||
-hal_renderscript_hwservice
|
||||
-hidl_allocator_hwservice
|
||||
-hidl_manager_hwservice
|
||||
-hidl_memory_hwservice
|
||||
-hidl_token_hwservice
|
||||
-untrusted_app_visible_hwservice_violators
|
||||
}:hwservice_manager find;
|
||||
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
|
||||
|
||||
neverallow all_untrusted_apps {
|
||||
vendor_service
|
||||
@ -257,24 +227,6 @@ neverallow all_untrusted_apps {
|
||||
# SELinux is not an API for untrusted apps to use
|
||||
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
|
||||
|
||||
# Restrict *Binder access from apps to HAL domains. We can only do this on full
|
||||
# Treble devices where *Binder communications between apps and HALs are tightly
|
||||
# restricted.
|
||||
full_treble_only(`
|
||||
neverallow all_untrusted_apps {
|
||||
halserverdomain
|
||||
-coredomain
|
||||
-hal_cas_server
|
||||
-hal_codec2_server
|
||||
-hal_configstore_server
|
||||
-hal_graphics_allocator_server
|
||||
-hal_neuralnetworks_server
|
||||
-hal_omx_server
|
||||
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
|
||||
-untrusted_app_visible_halserver_violators
|
||||
}:binder { call transfer };
|
||||
')
|
||||
|
||||
# Access to /proc/tty/drivers, to allow apps to determine if they
|
||||
# are running in an emulated environment.
|
||||
# b/33214085 b/33814662 b/33791054 b/33211769
|
||||
|
||||
@ -120,6 +120,9 @@ attribute same_process_hwservice;
|
||||
# All HwBinder services guaranteed to be offered only by core domain components
|
||||
attribute coredomain_hwservice;
|
||||
|
||||
# All HwBinder services that untrusted apps can't directly access
|
||||
attribute protected_hwservice;
|
||||
|
||||
# All types used for services managed by vndservicemanager
|
||||
attribute vndservice_manager_type;
|
||||
|
||||
|
||||
@ -1,78 +1,95 @@
|
||||
type default_android_hwservice, hwservice_manager_type;
|
||||
# hwservice types. By default most of the HALs are protected_hwservice, which means
|
||||
# access from untrusted apps is prohibited.
|
||||
type default_android_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_drm_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_wifi_offload_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
|
||||
type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
|
||||
|
||||
# Following is the hwservices that are explicitly not marked with protected_hwservice.
|
||||
# These are directly accessible from untrusted apps.
|
||||
# - same process services: because they by definition run in the process
|
||||
# of the client and thus have the same access as the client domain in which
|
||||
# the process runs
|
||||
# - coredomain_hwservice: are considered safer than ordinary hwservices which
|
||||
# are from vendor partition
|
||||
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
|
||||
# designed for use by any domain.
|
||||
# - hal_graphics_allocator_hwservice: because these operations are also offered
|
||||
# by surfaceflinger Binder service, which apps are permitted to access
|
||||
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
|
||||
# Binder service which apps were permitted to access.
|
||||
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
|
||||
type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hal_atrace_hwservice, hwservice_manager_type;
|
||||
type hal_audiocontrol_hwservice, hwservice_manager_type;
|
||||
type hal_audio_hwservice, hwservice_manager_type;
|
||||
type hal_authsecret_hwservice, hwservice_manager_type;
|
||||
type hal_bluetooth_hwservice, hwservice_manager_type;
|
||||
type hal_bootctl_hwservice, hwservice_manager_type;
|
||||
type hal_broadcastradio_hwservice, hwservice_manager_type;
|
||||
type hal_camera_hwservice, hwservice_manager_type;
|
||||
type hal_can_bus_hwservice, hwservice_manager_type;
|
||||
type hal_can_controller_hwservice, hwservice_manager_type;
|
||||
type hal_cas_hwservice, hwservice_manager_type;
|
||||
type hal_codec2_hwservice, hwservice_manager_type;
|
||||
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
|
||||
type hal_confirmationui_hwservice, hwservice_manager_type;
|
||||
type hal_contexthub_hwservice, hwservice_manager_type;
|
||||
type hal_drm_hwservice, hwservice_manager_type;
|
||||
type hal_cas_hwservice, hwservice_manager_type;
|
||||
type hal_dumpstate_hwservice, hwservice_manager_type;
|
||||
type hal_evs_hwservice, hwservice_manager_type;
|
||||
type hal_face_hwservice, hwservice_manager_type;
|
||||
type hal_fingerprint_hwservice, hwservice_manager_type;
|
||||
type hal_gatekeeper_hwservice, hwservice_manager_type;
|
||||
type hal_gnss_hwservice, hwservice_manager_type;
|
||||
type hal_graphics_allocator_hwservice, hwservice_manager_type;
|
||||
type hal_graphics_composer_hwservice, hwservice_manager_type;
|
||||
type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
|
||||
type hal_health_hwservice, hwservice_manager_type;
|
||||
type hal_health_storage_hwservice, hwservice_manager_type;
|
||||
type hal_input_classifier_hwservice, hwservice_manager_type;
|
||||
type hal_ir_hwservice, hwservice_manager_type;
|
||||
type hal_keymaster_hwservice, hwservice_manager_type;
|
||||
type hal_light_hwservice, hwservice_manager_type;
|
||||
type hal_lowpan_hwservice, hwservice_manager_type;
|
||||
type hal_memtrack_hwservice, hwservice_manager_type;
|
||||
type hal_neuralnetworks_hwservice, hwservice_manager_type;
|
||||
type hal_nfc_hwservice, hwservice_manager_type;
|
||||
type hal_oemlock_hwservice, hwservice_manager_type;
|
||||
type hal_omx_hwservice, hwservice_manager_type;
|
||||
type hal_power_hwservice, hwservice_manager_type;
|
||||
type hal_power_stats_hwservice, hwservice_manager_type;
|
||||
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
|
||||
type hal_secure_element_hwservice, hwservice_manager_type;
|
||||
type hal_sensors_hwservice, hwservice_manager_type;
|
||||
type hal_telephony_hwservice, hwservice_manager_type;
|
||||
type hal_tetheroffload_hwservice, hwservice_manager_type;
|
||||
type hal_thermal_hwservice, hwservice_manager_type;
|
||||
type hal_tv_cec_hwservice, hwservice_manager_type;
|
||||
type hal_tv_input_hwservice, hwservice_manager_type;
|
||||
type hal_tv_tuner_hwservice, hwservice_manager_type;
|
||||
type hal_usb_hwservice, hwservice_manager_type;
|
||||
type hal_usb_gadget_hwservice, hwservice_manager_type;
|
||||
type hal_vehicle_hwservice, hwservice_manager_type;
|
||||
type hal_vibrator_hwservice, hwservice_manager_type;
|
||||
type hal_vr_hwservice, hwservice_manager_type;
|
||||
type hal_weaver_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_hostapd_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_offload_hwservice, hwservice_manager_type;
|
||||
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
|
||||
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hidl_base_hwservice, hwservice_manager_type;
|
||||
type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type system_ashmem_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
|
||||
type thermalcallback_hwservice, hwservice_manager_type;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
||||
Loading…
Reference in New Issue
Block a user