commit e64a9f70a6147bb4ff55ca3f65c23fb1ae7224ab
author Alex Klyubin <klyubin@google.com> Fri Mar 24 16:07:20 2017 -0700
committer Alex Klyubin <klyubin@google.com> Mon Mar 27 08:45:18 2017 -0700
tree 0982ea32c0e40dc6a136b9fa6d79afe10460b044
parent dcc3ab2571aeefffbf164f21331708bb75922973

Annotate violators of "no sockets between core and vendor" rule

These vendor domains use communicate with core domains over sockets,
which is not permitted. This commit thus temporarily associates these
domains with socket_between_core_and_vendor_violators attribute which
permits this banned behavior to continue for now. This is a temporary
workaround. The fix is to fix these domains to not communicate with
core domains over sockets.

NOTE: Some of the domains on the list are there for a benign reason:
passthrough HALs. Core domains which host passthrough HAL
implementations may initiate socket connections to vendor domains and
this is completely permitted. I could've whitelisted all HAL client
domains in the neverallow rules (using halclientdomain attribute) but
this increases the risk of not noticing banned communications from
these domains. Thus, as a workaround until we stop using passthrough
HALs (b/34274385), I added the affected vendor domains to the list of
exemptions.

Test: mmm system/sepolicy
Bug: 36577153
Change-Id: I525a60e571141117e105e96b2b7e28aed791d56f

sepolicy/camera.te

diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index c4449d2..1c00855 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -37,3 +37,11 @@
 
 allow camera input_device:dir r_dir_perms;
 allow camera input_device:chr_file r_file_perms;
+
+# TODO(b/34274385): Remove this once Camera HAL is guaranteed to not be run in passthrough mode
+# What's going on here is that Camera HAL os talking over sockets to camera daemon, which is
+# permitted. However, those rules target hal_camera rather than hal_camera_server and thus are also
+# granted to all clients of Camera HAL (e.g., cameraserver) which are core components, and
+# socket communications between system components and vendor components are not permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute camera socket_between_core_and_vendor_violators;

sepolicy/cnd.te

diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index acd87c9..5a7dd92 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -34,3 +34,6 @@
 # use for mobile hostspot
 allow cnd shell_exec:file rx_file_perms;
 allow cnd system_file:file rx_file_perms;
+
+# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with cnd
+typeattribute cnd socket_between_core_and_vendor_violators;

sepolicy/hal_drm_widevine.te

diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index c76f3cf..0cf32de 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -9,5 +9,8 @@
 # such as mediametrics service it currently attempts to use
 typeattribute hal_drm_widevine binder_in_vendor_violators;
 
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_widevine socket_between_core_and_vendor_violators;
+
 allow hal_drm mediacodec:fd use;
 allow hal_drm { appdomain -isolated_app }:fd use;

sepolicy/hal_gnss.te

diff --git a/sepolicy/hal_gnss.te b/sepolicy/hal_gnss.te
index e945798..5942f55 100644
--- a/sepolicy/hal_gnss.te
+++ b/sepolicy/hal_gnss.te
@@ -23,6 +23,7 @@
 #
 # TODO:(b/35757613) - STOPSHIP - HAL cannot have direct inet access
 #
+typeattribute hal_gnss_default socket_between_core_and_vendor_violators;
 allow hal_gnss dnsproxyd_socket:sock_file write;
 allow hal_gnss fwmarkd_socket:sock_file write;
 allow hal_gnss netd:unix_stream_socket connectto;

sepolicy/ims.te

diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index 5a3a67f..7ba9217 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -40,3 +40,12 @@
 
 # use fds passed from radio app
 allow ims radio:fd use;
+
+# TODO(b/34274385): Remove this once Telphony HAL is guaranteed to not be run in passthrough mode
+# What's going on here is that Telephony HAL is talking over sockets to ims daemon, which is
+# permitted. However, those rules target hal_telephony rather than hal_telephony_server and thus
+# are also granted to all clients of Telephony HAL (e.g., radio daemon) which are core
+# components, and socket communications between system components and vendor components are not
+# permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute ims socket_between_core_and_vendor_violators;

sepolicy/location.te

diff --git a/sepolicy/location.te b/sepolicy/location.te
index 9dd7ff4..aaa56a0 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -49,3 +49,11 @@
 userdebug_or_eng(`
   allow location diag_device:chr_file rw_file_perms;
 ')
+
+# TODO(b/34274385): Remove this once Wi-Fi HAL is guaranteed to not be run in passthrough mode
+# What's going on here is that Wi-Fi HAL is talking over sockets to location daemon, which is
+# permitted. However, those rules target hal_wifi rather than hal_wifi_server and thus are also
+# granted to all clients of these HALs (e.g., system_server) which are core components, and
+# socket communications between system components and vendor components are not permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute location socket_between_core_and_vendor_violators;

sepolicy/perfd.te

diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
index 7d18e89..3f0679c 100644
--- a/sepolicy/perfd.te
+++ b/sepolicy/perfd.te
@@ -34,3 +34,11 @@
 # Determining if a process exists does not require the kill capability
 # since a permission denied indicates the process exists.
 dontaudit perfd self:capability kill;
+
+# TODO(b/34274385): Remove this once HALs are guaranteed to not be run in passthrough mode
+# What's going on here is that Audio HAL, Power and DRM HAL are talking over sockets to perfd,
+# which is permitted. However, those rules target hal_x rather than hal_x_server and thus are also
+# granted to all clients of these HALs (e.g., system_server) which are core components, and
+# socket communications between system components and vendor components are not permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute perfd socket_between_core_and_vendor_violators;

sepolicy/qmuxd.te

diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
index 10dddb5..59d6c4f 100644
--- a/sepolicy/qmuxd.te
+++ b/sepolicy/qmuxd.te
@@ -7,3 +7,11 @@
 allow qmuxd qmuxd_socket:dir w_dir_perms;
 allow qmuxd qmuxd_socket:sock_file create_file_perms;
 allow qmuxd self:socket create_socket_perms_no_ioctl;
+
+# TODO(b/34274385): Remove this once HALs are guaranteed to not be run in passthrough mode
+# What's going on here is that Camera HAL is talking over sockets to qmuxd, which is permitted.
+# However, those rules target hal_camera rather than hal_camera_server and thus are also
+# granted to all clients of these HALs (e.g., cameraserver) which are core components, and
+# socket communications between system components and vendor components are not permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute qmuxd socket_between_core_and_vendor_violators;

sepolicy/rild.te

diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index c73c32c..a3fe7df 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -25,3 +25,7 @@
 userdebug_or_eng(`
   allow rild diag_device:chr_file rw_file_perms;
 ')
+
+# TODO(b/36613472): Remove this once system_server,  mediaserver, bluetooth, and radio no longer
+# communicate with rild over sockets.
+typeattribute rild socket_between_core_and_vendor_violators;

sepolicy/system_server.te

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 3981018..1738e0d 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -16,6 +16,8 @@
 allow system_server perfd_data_file:sock_file write;
 allow system_server perfd:unix_stream_socket connectto;
 
+# TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets.
+typeattribute netmgrd socket_between_core_and_vendor_violators;
 allow system_server netmgrd_socket:dir search;
 unix_socket_connect(system_server, netmgrd, netmgrd)
 

sepolicy/time.te

diff --git a/sepolicy/time.te b/sepolicy/time.te
index 259ecbf..189cdea 100644
--- a/sepolicy/time.te
+++ b/sepolicy/time.te
@@ -24,3 +24,6 @@
 userdebug_or_eng(`
   allow time  diag_device:chr_file rw_file_perms;
 ')
+
+# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with time daemon
+typeattribute time socket_between_core_and_vendor_violators;

sepolicy/wcnss_filter.te

diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te
index 0d6d3d1..279b314 100644
--- a/sepolicy/wcnss_filter.te
+++ b/sepolicy/wcnss_filter.te
@@ -19,3 +19,12 @@
 
 # Allow reading Bluetooth-related system properties
 get_prop(wcnss_filter, bluetooth_prop)
+
+# TODO(b/34274385): Remove this once Bluetooh HAL is guaranteed to not be run in passthrough mode
+# What's going on here is that Bluetooth HAL is talking over sockets to wcnss_filter, which is
+# permitted. However, those rules target hal_bluetooth rather than hal_bluetooth_server and thus
+# are also granted to all clients of Bluetooth HAL (e.g., bluetooth daemon) which are core
+# components, and socket communications between system components and vendor components are not
+# permted.
+# Once we switch full Treble devices to binderized only mode, this issue will disappear.
+typeattribute wcnss_filter socket_between_core_and_vendor_violators;