From 6b6e6bc3f463cf5a3a761672a5d5bcd0407ca2c3 Mon Sep 17 00:00:00 2001 From: Alex Klyubin Date: Sat, 25 Mar 2017 15:49:05 -0700 Subject: [PATCH] Annotate violators of "no sockets between core and vendor" rule These vendor domains use communicate with core domains over sockets, which is not permitted. This commit thus temporarily associates these domains with socket_between_core_and_vendor_violators attribute which permits this banned behavior to continue for now. This is a temporary workaround. The fix is to fix these domains to not communicate with core domains over sockets. NOTE: Some of the domains on the list are there for a benign reason: passthrough HALs. Core domains which host passthrough HAL implementations may initiate socket connections to vendor domains and this is completely permitted. I could've whitelisted all HAL client domains in the neverallow rules (using halclientdomain attribute) but this increases the risk of not noticing banned communications from these domains. Thus, as a workaround until we stop using passthrough HALs (b/34274385), I added the affected vendor domains to the list of exemptions. Test: mmm system/sepolicy Bug: 36577153 Change-Id: I4b1c0dd92b000cd802dfc2eed003ac8e4d7c6000 --- sepolicy/cnd.te | 3 +++ sepolicy/location.te | 8 ++++++++ sepolicy/rild.te | 4 ++++ sepolicy/wcnss_filter.te | 9 +++++++++ 4 files changed, 24 insertions(+) diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index 7bb165f2..bbd50a64 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -13,3 +13,6 @@ allow cnd self:socket create_socket_perms; allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER; init_daemon_domain(cnd) + +# TODO(b/36613996): Remove this once system_app no longer communicates over sockets with cnd +typeattribute cnd socket_between_core_and_vendor_violators; diff --git a/sepolicy/location.te b/sepolicy/location.te index b3c34d05..1f58f1a9 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -30,3 +30,11 @@ r_dir_file(location, sysfs_type) userdebug_or_eng(` permissive location; ') + +# TODO(b/34274385): Remove this once Wi-Fi HAL is guaranteed to not be run in passthrough mode +# What's going on here is that Wi-Fi HAL is talking over sockets to location daemon, which is +# permitted. However, those rules target hal_wifi rather than hal_wifi_server and thus are also +# granted to all clients of these HALs (e.g., system_server) which are core components, and +# socket communications between system components and vendor components are not permted. +# Once we switch full Treble devices to binderized only mode, this issue will disappear. +typeattribute location socket_between_core_and_vendor_violators; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index fcfe4f03..e556e268 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -11,3 +11,7 @@ unix_socket_connect(rild, netmgrd, netmgrd) allow rild self:socket ioctl; allowxperm rild self:socket ioctl msm_sock_ipc_ioctls; + +# TODO(b/36613472): Remove this once system_server, mediaserver, radio, and bluetooth no longer +# communicate with rild over sockets. +typeattribute rild socket_between_core_and_vendor_violators; diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te index 255294c7..3d21d2cb 100644 --- a/sepolicy/wcnss_filter.te +++ b/sepolicy/wcnss_filter.te @@ -9,3 +9,12 @@ set_prop(wcnss_filter, bluetooth_prop) userdebug_or_eng(` permissive wcnss_filter; ') + +# TODO(b/34274385): Remove this once Bluetooh HAL is guaranteed to not be run in passthrough mode +# What's going on here is that Bluetooth HAL is talking over sockets to wcnss_filter, which is +# permitted. However, those rules target hal_bluetooth rather than hal_bluetooth_server and thus +# are also granted to all clients of Bluetooth HAL (e.g., bluetooth daemon) which are core +# components, and socket communications between system components and vendor components are not +# permted. +# Once we switch full Treble devices to binderized only mode, this issue will disappear. +typeattribute wcnss_filter socket_between_core_and_vendor_violators;