Revert "Re-open /dev/binder access to all." am: 6b2eaade82 am: db28fe2381

am: 64f3d8d104

Change-Id: I29492e16d36d1394b8d27ace12cd2c99ad4c130c

private/app_neverallows.te

@@ -250,11 +250,6 @@ neverallow all_untrusted_apps {
   -untrusted_app_visible_hwservice_violators
 }:hwservice_manager find;
 
-neverallow all_untrusted_apps {
-  vendor_service
-  vintf_service
-}:service_manager find;
-
 # SELinux is not an API for untrusted apps to use
 neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 

public/attributes

@@ -98,12 +98,6 @@ attribute ephemeral_app_api_service;
 # services which export only system_api
 attribute system_api_service;
 
-# services which should only be available to vendor
-attribute vendor_service;
-
-# services which should be available system<->vendor
-attribute vintf_service;
-
 # All types used for services managed by servicemanager.
 # On change, update CHECK_SC_ASSERT_ATTRS
 # definition in tools/checkfc.c.

public/domain.te

@@ -88,9 +88,15 @@ allow domain ashmem_server:fd use;
 allow { domain -coredomain -appdomain } system_ashmem_hwservice:hwservice_manager find;
 allow { domain -coredomain -appdomain } ashmem_server: binder call;
 
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow {
+  coredomain
+  appdomain
+  binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  -hwservicemanager
+} binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
 allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
@@ -624,21 +630,30 @@ neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
 neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
 
-# system services cant add vendor services
-neverallow {
-  coredomain
-} vendor_service:service_manager add;
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } binder_device:chr_file rw_file_perms;
+')
 
-# vendor services cant add system services
-neverallow {
-  domain
-  -coredomain
-} {
-  service_manager_type
-  -vendor_service
-  -vintf_service
-}:service_manager add;
+# libcutils can probe for /dev/binder permissions with access(). Ignore
+# generated denials. See b/129073672 for details.
+dontaudit domain binder_device:chr_file audit_access;
 
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # restrictions for vendor apps are declared lower down
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } service_manager_type:service_manager find;
+')
 full_treble_only(`
   # Vendor apps are permited to use only stable public services. If they were to use arbitrary
   # services which can change any time framework/core is updated, breakage is likely.
@@ -664,6 +679,14 @@ full_treble_only(`
     -vr_manager_service
   }:service_manager find;
 ')
+full_treble_only(`
+  neverallow {
+    domain
+    -coredomain
+    -appdomain
+    -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+  } servicemanager:binder { call transfer };
+')
 
 # On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
 full_treble_only(`