Merge "Rules for new installd Binder interface."

jsharkey · Gerrit Code Review · commit fed665edcab2 · 2016-12-06T00:14:54.000Z
diff --git a/private/service_contexts b/private/service_contexts
@@ -56,6 +56,7 @@ hdmi_control                              u:object_r:hdmi_control_service:s0
 inputflinger                              u:object_r:inputflinger_service:s0
 input_method                              u:object_r:input_method_service:s0
 input                                     u:object_r:input_service:s0
+installd                                  u:object_r:installd_service:s0
 iphonesubinfo_msim                        u:object_r:radio_service:s0
 iphonesubinfo2                            u:object_r:radio_service:s0
 iphonesubinfo                             u:object_r:radio_service:s0
diff --git a/public/installd.te b/public/installd.te
@@ -118,3 +118,21 @@ allow installd devpts:chr_file rw_file_perms;
 
 # execute toybox for app relocation
 allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+allow installd installd_service:service_manager add;
+allow installd dumpstate:fifo_file  { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+###
+### Neverallow rules
+###
+
+# only system_server and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/public/service.te b/public/service.te
@@ -1,14 +1,15 @@
 type audioserver_service,       service_manager_type;
+type batteryproperties_service, app_api_service, service_manager_type;
 type bluetooth_service,         service_manager_type;
 type cameraserver_service,      service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
-type gatekeeper_service,        app_api_service, service_manager_type;
 type fingerprintd_service,      service_manager_type;
-type batteryproperties_service, app_api_service, service_manager_type;
+type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
+type installd_service,          service_manager_type;
 type keystore_service,          service_manager_type;
 type mediaserver_service,       service_manager_type;
 type mediaanalytics_service,    service_manager_type;
diff --git a/public/shell.te b/public/shell.te
@@ -90,7 +90,7 @@ allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find;
+allow shell { service_manager_type -gatekeeper_service -netd_service -installd_service}:service_manager find;
 allow shell dumpstate:binder call;
 
 # allow shell to look through /proc/ for ps, top, netstat
diff --git a/public/system_app.te b/public/system_app.te
@@ -50,7 +50,7 @@ allow system_app asec_apk_file:file r_file_perms;
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
 	get_state
diff --git a/public/system_server.te b/public/system_server.te
@@ -155,11 +155,12 @@ binder_call(system_server, hal_power)
 binder_call(system_server, hal_thermal)
 binder_call(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, fingerprintd)
 binder_call(system_server, { appdomain ephemeral_app })
+binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
 binder_call(system_server, netd)
 binder_call(system_server, wificond)
 binder_service(system_server)
@@ -455,13 +456,14 @@ allow system_server sysfs_zram:dir search;
 allow system_server sysfs_zram:file r_file_perms;
 
 allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
 allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server mediaanalytics_service:service_manager find;
 allow system_server mediaextractor_service:service_manager find;
