149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### neverallow rules for untrusted app domains 349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale### 449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaledefine(`all_untrusted_apps',`{ 649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale ephemeral_app 749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale isolated_app 849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale mediaprovider 949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale untrusted_app 1049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale untrusted_app_25 1149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale untrusted_app_27 1249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale untrusted_app_all 1349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale untrusted_v2_app 1449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}') 1549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Receive or send uevent messages. 1649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *; 1749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 1849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Receive or send generic netlink messages 1949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps domain:netlink_socket *; 2049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Too much leaky information in debugfs. It's a security 2249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# best practice to ensure these files aren't readable. 2349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps debugfs_type:file read; 2449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 2549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to register services. 2649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Only trusted components of Android should be registering 2749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# services. 2849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps service_manager_type:service_manager add; 2949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 3049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to use VendorBinder 3149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps vndbinder_device:chr_file *; 3249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps vndservice_manager_type:service_manager *; 3349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 3449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to connect to the property service 3549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# or set properties. b/10243159 3649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write; 3749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto; 3849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } property_type:property_service set; 3949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 4049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps, 4149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# but otherwise disallow untrusted apps from reading this property. 4249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read; 4349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 4449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to be assigned mlstrustedsubject. 4549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# This would undermine the per-user isolation model being 4649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# enforced via levelFrom=user in seapp_contexts and the mls 4749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# constraints. As there is no direct way to specify a neverallow 4849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# on attribute assignment, this relies on the fact that fork 4949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# permission only makes sense within a domain (hence should 5049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# never be granted to any other domain within mlstrustedsubject) 5149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# and an untrusted app is allowed fork permission to itself. 5249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps mlstrustedsubject:process fork; 5349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 5449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to hard link to any files. 5549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# In particular, if an untrusted app links to other app data 5649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# files, installd will not be able to guarantee the deletion 5749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# of the linked to file. Hard links also contribute to security 5849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# bugs, so we want to ensure untrusted apps never have this 5949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# capability. 6049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps file_type:file link; 6149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to access network MAC address file 6349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms; 6449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow any write access to files in /sys 6649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms }; 6749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 6849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Apps may never access the default sysfs label. 6949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps sysfs:file no_rw_file_perms; 7049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 7149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the 7249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# ioctl permission, or 3. disallow the socket class. 7349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 7449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl; 7549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps *:{ 7649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale socket netlink_socket packet_socket key_socket appletalk_socket 7749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_tcpdiag_socket netlink_nflog_socket 7849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_xfrm_socket netlink_audit_socket 7949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket 8049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket 8149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket 8249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale netlink_rdma_socket netlink_crypto_socket 8349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale} *; 8449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 8549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps access to /cache 8649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms }; 8749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr }; 8849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 8949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to create/unlink files outside of its sandbox, 9049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# internal storage or sdcard. 9149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# World accessible data locations allow application to fill the device 9249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# with unaccounted for data. This data will not get removed during 9349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# application un-installation. 9449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow { all_untrusted_apps -mediaprovider } { 9549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale fs_type 96763dcc317556b9c9d3137641d2ed86232bb189f9Ian Pedowitz -sdcard_type 9749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale file_type 9849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -app_data_file # The apps sandbox itself 9949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -media_rw_data_file # Internal storage. Known that apps can 10049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale # leave artfacts here after uninstall. 10149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -user_profile_data_file # Access to profile files 10249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale userdebug_or_eng(` 10349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -method_trace_data_file # only on ro.debuggable=1 10449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -coredump_file # userdebug/eng only 10549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale ') 10649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:dir_file_class_set { create unlink }; 10749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 10849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# No untrusted component should be touching /dev/fuse 10949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps fuse_device:chr_file *; 11049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps to directly open tun_device 11249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps tun_device:chr_file open; 11349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553) 11549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps anr_data_file:file ~{ open append }; 11649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps anr_data_file:dir ~search; 11749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 11849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Avoid reads from generically labeled /proc files 11949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Create a more specific label if needed 12049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps { 12149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc 12249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_asound 12349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_filesystems 12449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_kmsg 12549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_loadavg 12649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_mounts 12749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_pagetypeinfo 12849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_stat 12949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_swaps 13049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_uptime 13149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_version 13249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_vmallocinfo 13349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale proc_vmstat 13449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:file { no_rw_file_perms no_x_file_perms }; 13549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 13649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Avoid all access to kernel configuration 13749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms }; 13849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 13949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not allow untrusted apps access to preloads data files 14049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms; 14149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 14249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Locking of files on /system could lead to denial of service attacks 14349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# against privileged system components 14449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps system_file:file lock; 14549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 14649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not permit untrusted apps to perform actions on HwBinder service_manager 14749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# other than find actions for services listed below 14849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps *:hwservice_manager ~find; 14949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 15049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Do not permit access from apps which host arbitrary code to HwBinder services, 15149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# except those considered sufficiently safe for access from such apps. 15249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# The two main reasons for this are: 15349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# 1. HwBinder servers do not perform client authentication because HIDL 15449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# currently does not expose caller UID information and, even if it did, many 15549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# HwBinder services either operate at a level below that of apps (e.g., HALs) 15649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# or must not rely on app identity for authorization. Thus, to be safe, the 15749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# default assumption is that every HwBinder service treats all its clients as 15849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# equally authorized to perform operations offered by the service. 15949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# 2. HAL servers (a subset of HwBinder services) contain code with higher 16049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# incidence rate of security issues than system/core components and have 16149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# access to lower layes of the stack (all the way down to hardware) thus 16249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# increasing opportunities for bypassing the Android security model. 16349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# 16449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Safe services include: 16549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - same process services: because they by definition run in the process 16649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# of the client and thus have the same access as the client domain in which 16749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# the process runs 16849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - coredomain_hwservice: are considered safe because they do not pose risks 16949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# associated with reason #2 above. 17049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been 17149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# designed for use by any domain. 17249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - hal_graphics_allocator_hwservice: because these operations are also offered 17349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# by surfaceflinger Binder service, which apps are permitted to access 17449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec 17549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Binder service which apps were permitted to access. 17649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. 17749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps { 17849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hwservice_manager_type 17949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -same_process_hwservice 18049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -coredomain_hwservice 18149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_codec2_hwservice 18249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_configstore_ISurfaceFlingerConfigs 18349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_graphics_allocator_hwservice 18449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_omx_hwservice 18549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_cas_hwservice 18649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_neuralnetworks_hwservice 18749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -untrusted_app_visible_hwservice 18849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:hwservice_manager find; 18949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 19049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Make sure that the following services are never accessible by untrusted_apps 19149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps { 19249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale default_android_hwservice 19349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_audio_hwservice 19449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_authsecret_hwservice 19549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_bluetooth_hwservice 19649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_bootctl_hwservice 19749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_camera_hwservice 19849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_confirmationui_hwservice 19949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_contexthub_hwservice 20049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_drm_hwservice 20149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_dumpstate_hwservice 20249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_fingerprint_hwservice 20349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_gatekeeper_hwservice 20449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_gnss_hwservice 20549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_graphics_composer_hwservice 20649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_health_hwservice 20749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_ir_hwservice 20849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_keymaster_hwservice 20949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_light_hwservice 21049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_memtrack_hwservice 21149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_nfc_hwservice 21249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_oemlock_hwservice 21349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_power_hwservice 21449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_secure_element_hwservice 21549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_sensors_hwservice 21649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_telephony_hwservice 21749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_thermal_hwservice 21849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_tv_cec_hwservice 21949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_tv_input_hwservice 22049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_usb_hwservice 22149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_vibrator_hwservice 22249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_vr_hwservice 22349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_weaver_hwservice 22449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_wifi_hwservice 22549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_wifi_offload_hwservice 22649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hal_wifi_supplicant_hwservice 22749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale hidl_base_hwservice 22849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale system_net_netd_hwservice 22949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale thermalcallback_hwservice 23049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:hwservice_manager find; 23149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# HwBinder services offered by core components (as opposed to vendor components) 23249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# are considered somewhat safer due to point #2 above. 23349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps { 23449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale coredomain_hwservice 23549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -same_process_hwservice 23649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hidl_allocator_hwservice # Designed for use by any domain 23749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hidl_manager_hwservice # Designed for use by any domain 23849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hidl_memory_hwservice # Designed for use by any domain 23949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hidl_token_hwservice # Designed for use by any domain 24049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale}:hwservice_manager find; 24149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 24249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# SELinux is not an API for untrusted apps to use 24349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps selinuxfs:file no_rw_file_perms; 24449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 24549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Restrict *Binder access from apps to HAL domains. We can only do this on full 24649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Treble devices where *Binder communications between apps and HALs are tightly 24749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# restricted. 24849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwalefull_treble_only(` 24949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale neverallow all_untrusted_apps { 25049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale halserverdomain 25149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -coredomain 25249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_configstore_server 25349b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_graphics_allocator_server 25449b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_cas_server 25549b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -hal_neuralnetworks_server 25649b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone 25749b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale -untrusted_app_visible_halserver 25849b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale }:binder { call transfer }; 25949b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale') 26049b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale 26149b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwale# Untrusted apps are not allowed to find mediaextractor update service. 26249b79029cbb4bfb362b6b823e63bb467e8012230Wale Ogunwaleneverallow all_untrusted_apps mediaextractor_update_service:service_manager find; 263