sepolicy: restrict BINDER_FREEZE to system_server
BINDER_FREEZE is used to block ipc transactions to frozen processes, so
only system_server must be allowed to use it.
Bug: 143717177
Test: manually verified that attempts to use BINDER_FREEZE by processes other
than system_server receive a sepolicy denial
Test: verified that system_server can enable/disable the freezer in
binder
Change-Id: I0fae3585c6ec409809e8085c1cc9862be4755889
Merged-In: I0fae3585c6ec409809e8085c1cc9862be4755889
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index d9d7898..dab0998 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -973,6 +973,9 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+# Only system server can access BINDER_FREEZE
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+
###
### Neverallow rules
###
@@ -1172,3 +1175,7 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 8cb4950..e1ca737 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
index 558dd92..e31868a 100644
--- a/prebuilts/api/30.0/public/ioctl_defines
+++ b/prebuilts/api/30.0/public/ioctl_defines
@@ -132,7 +132,11 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
diff --git a/prebuilts/api/30.0/public/ioctl_macros b/prebuilts/api/30.0/public/ioctl_macros
index 5cbfae5..4538962 100644
--- a/prebuilts/api/30.0/public/ioctl_macros
+++ b/prebuilts/api/30.0/public/ioctl_macros
@@ -66,3 +66,11 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')
diff --git a/private/system_server.te b/private/system_server.te
index d9d7898..dab0998 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -973,6 +973,9 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
+# Only system server can access BINDER_FREEZE
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+
###
### Neverallow rules
###
@@ -1172,3 +1175,7 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
diff --git a/public/domain.te b/public/domain.te
index 8cb4950..e1ca737 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -80,6 +80,10 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 558dd92..e31868a 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,7 +132,11 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 5cbfae5..4538962 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -66,3 +66,11 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')