You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
3.4 KiB
81 lines
3.4 KiB
###
|
|
### neverallow rules for untrusted app domains
|
|
###
|
|
|
|
define(`all_untrusted_apps',`{
|
|
ephemeral_app
|
|
isolated_app
|
|
mediaprovider
|
|
# mediaprovider_app # private
|
|
untrusted_app
|
|
untrusted_app_25
|
|
untrusted_app_27
|
|
untrusted_app_29
|
|
untrusted_app_all
|
|
}')
|
|
|
|
# Do not permit untrusted apps to perform actions on HwBinder service_manager
|
|
# other than find actions for services listed below
|
|
neverallow all_untrusted_apps *:hwservice_manager ~find;
|
|
|
|
# Do not permit access from apps which host arbitrary code to HwBinder services.
|
|
# The two main reasons for this are:
|
|
# 1. HwBinder servers do not perform client authentication because HIDL
|
|
# currently does not expose caller UID information and, even if it did, many
|
|
# HwBinder services either operate at a level below that of apps (e.g., HALs)
|
|
# or must not rely on app identity for authorization. Thus, to be safe, the
|
|
# default assumption is that every HwBinder service treats all its clients as
|
|
# equally authorized to perform operations offered by the service.
|
|
# 2. HAL servers (a subset of HwBinder services) contain code with higher
|
|
# incidence rate of security issues than system/core components and have
|
|
# access to lower layes of the stack (all the way down to hardware) thus
|
|
# increasing opportunities for bypassing the Android security model.#
|
|
# Safe services include:
|
|
# - same process services: because they by definition run in the process
|
|
# of the client and thus have the same access as the client domain in which
|
|
# the process runs
|
|
# - coredomain_hwservice: are considered safe because they do not pose risks
|
|
# associated with reason #2 above.
|
|
# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
|
|
# designed for use by any domain.
|
|
# - hal_graphics_allocator_hwservice: because these operations are also offered
|
|
# by surfaceflinger Binder service, which apps are permitted to access
|
|
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
|
|
# Binder service which apps were permitted to access.
|
|
# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
|
|
neverallow all_untrusted_apps ~{
|
|
fwk_bufferhub_hwservice # coredomain_hwservice. Designed for use by any domain
|
|
hal_cas_hwservice
|
|
hal_codec2_hwservice
|
|
hal_configstore_ISurfaceFlingerConfigs
|
|
hal_drm_hwservice # technical_debt.cil
|
|
hal_graphics_allocator_hwservice
|
|
hal_graphics_mapper_hwservice # same process services
|
|
hal_neuralnetworks_hwservice # AOSP:589714
|
|
hal_omx_hwservice
|
|
hal_renderscript_hwservice # same process services
|
|
hidl_allocator_hwservice # coredomain_hwservice. Designed for use by any domain
|
|
hidl_manager_hwservice # coredomain_hwservice. Designed for use by any domain
|
|
hidl_memory_hwservice # coredomain_hwservice. Designed for use by any domain
|
|
hidl_token_hwservice # coredomain_hwservice. Designed for use by any domain
|
|
mtk_safe_hwservice_manager_type
|
|
}:hwservice_manager find;
|
|
|
|
# Restrict *Binder access from apps to HAL domains. We can only do this on full
|
|
# Treble devices where *Binder communications between apps and HALs are tightly
|
|
# restricted.
|
|
full_treble_only(`
|
|
neverallow all_untrusted_apps {
|
|
halserverdomain
|
|
-coredomain
|
|
-hal_cas_server
|
|
-hal_codec2_server
|
|
-hal_configstore_server
|
|
-hal_drm_server
|
|
-hal_graphics_allocator_server
|
|
-hal_neuralnetworks_server
|
|
-hal_omx_server
|
|
-mtk_safe_halserverdomain_type
|
|
}:binder { call transfer };
|
|
')
|