00657834b8
This adds neverallow rules which enforce the prohibition on communication between framework and vendor components over VendorBinder. This prohibition is similar in spirit to the one for Binder communications. Most changes consist of adding neverallow rules, which do not affect runtime behavior. The only change which does affect runtime behavior is the change which takes away the right of servicemanager domain to transfer Binder tokens to hwservicemanager and vndservicemanager. This grant was there by accident (because it was overly broad) and is not expected to be needed: servicemanager, hwservicemanager, and vndservicemanager are not supposed to be communicating with each other. P. S. The new neverallow rules in app_neverallows.te are covered by the new rules in domain.te. The rules were nevertheless added to app_neverallows.te for consistency with other *Binder rules there. Test: mmm system/sepolicy Bug: 37663632 Change-Id: I7c2ae23924bf0f2fed3f1e3a8d4d603129286329
26 lines
904 B
Plaintext
26 lines
904 B
Plaintext
# servicemanager - the Binder context manager
|
|
type servicemanager, domain, mlstrustedsubject;
|
|
type servicemanager_exec, exec_type, file_type;
|
|
|
|
# Note that we do not use the binder_* macros here.
|
|
# servicemanager is unique in that it only provides
|
|
# name service (aka context manager) for Binder.
|
|
# As such, it only ever receives and transfers other references
|
|
# created by other domains. It never passes its own references
|
|
# or initiates a Binder IPC.
|
|
allow servicemanager self:binder set_context_mgr;
|
|
allow servicemanager {
|
|
domain
|
|
-init
|
|
-hwservicemanager
|
|
-vndservicemanager
|
|
}:binder transfer;
|
|
|
|
# Access to all (system and vendor) service_contexts
|
|
# TODO(b/36866029) access to nonplat_service_contexts
|
|
# should not be allowed on full treble devices
|
|
allow servicemanager service_contexts_file:file r_file_perms;
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(servicemanager)
|