###
### neverallow rules for untrusted app domains
###

define(`all_untrusted_apps',`{
  ephemeral_app
  isolated_app
  mediaprovider
#  mediaprovider_app  # private
  untrusted_app
  untrusted_app_25
  untrusted_app_27
  untrusted_app_29
  untrusted_app_all
}')

# Do not permit untrusted apps to perform actions on HwBinder service_manager
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;

# Do not permit access from apps which host arbitrary code to HwBinder services.
# The two main reasons for this are:
# 1. HwBinder servers do not perform client authentication because HIDL
#    currently does not expose caller UID information and, even if it did, many
#    HwBinder services either operate at a level below that of apps (e.g., HALs)
#    or must not rely on app identity for authorization. Thus, to be safe, the
#    default assumption is that every HwBinder service treats all its clients as
#    equally authorized to perform operations offered by the service.
# 2. HAL servers (a subset of HwBinder services) contain code with higher
#    incidence rate of security issues than system/core components and have
#    access to lower layes of the stack (all the way down to hardware) thus
#    increasing opportunities for bypassing the Android security model.#
# Safe services include:
# - same process services: because they by definition run in the process
#   of the client and thus have the same access as the client domain in which
#   the process runs
# - coredomain_hwservice: are considered safe because they do not pose risks
#   associated with reason #2 above.
# - hal_configstore_ISurfaceFlingerConfigs:  becuase it has specifically been
#   designed for use by any domain.
# - hal_graphics_allocator_hwservice: because these operations are also offered
#   by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
#   Binder service which apps were permitted to access.
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps ~{
  fwk_bufferhub_hwservice        # coredomain_hwservice. Designed for use by any domain
  hal_cas_hwservice
  hal_codec2_hwservice
  hal_configstore_ISurfaceFlingerConfigs
  hal_drm_hwservice              # technical_debt.cil
  hal_graphics_allocator_hwservice
  hal_graphics_mapper_hwservice  # same process services
  hal_neuralnetworks_hwservice   # AOSP:589714
  hal_omx_hwservice
  hal_renderscript_hwservice     # same process services
  hidl_allocator_hwservice       # coredomain_hwservice. Designed for use by any domain
  hidl_manager_hwservice         # coredomain_hwservice. Designed for use by any domain
  hidl_memory_hwservice          # coredomain_hwservice. Designed for use by any domain
  hidl_token_hwservice           # coredomain_hwservice. Designed for use by any domain
  mtk_safe_hwservice_manager_type
}:hwservice_manager find;

# Restrict *Binder access from apps to HAL domains. We can only do this on full
# Treble devices where *Binder communications between apps and HALs are tightly
# restricted.
full_treble_only(`
  neverallow all_untrusted_apps {
    halserverdomain
    -coredomain
    -hal_cas_server
    -hal_codec2_server
    -hal_configstore_server
    -hal_drm_server
    -hal_graphics_allocator_server
    -hal_neuralnetworks_server
    -hal_omx_server
    -mtk_safe_halserverdomain_type
}:binder { call transfer };
')