1### 2### neverallow rules for untrusted app domains 3### 4 5define(`all_untrusted_apps',`{ 6 ephemeral_app 7 isolated_app 8 mediaprovider 9# mediaprovider_app # private 10 untrusted_app 11 untrusted_app_25 12 untrusted_app_27 13 untrusted_app_29 14 untrusted_app_all 15}') 16 17# Do not permit untrusted apps to perform actions on HwBinder service_manager 18# other than find actions for services listed below 19neverallow all_untrusted_apps *:hwservice_manager ~find; 20 21# Do not permit access from apps which host arbitrary code to HwBinder services. 22# The two main reasons for this are: 23# 1. HwBinder servers do not perform client authentication because HIDL 24# currently does not expose caller UID information and, even if it did, many 25# HwBinder services either operate at a level below that of apps (e.g., HALs) 26# or must not rely on app identity for authorization. Thus, to be safe, the 27# default assumption is that every HwBinder service treats all its clients as 28# equally authorized to perform operations offered by the service. 29# 2. HAL servers (a subset of HwBinder services) contain code with higher 30# incidence rate of security issues than system/core components and have 31# access to lower layes of the stack (all the way down to hardware) thus 32# increasing opportunities for bypassing the Android security model.# 33# Safe services include: 34# - same process services: because they by definition run in the process 35# of the client and thus have the same access as the client domain in which 36# the process runs 37# - coredomain_hwservice: are considered safe because they do not pose risks 38# associated with reason #2 above. 39# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been 40# designed for use by any domain. 41# - hal_graphics_allocator_hwservice: because these operations are also offered 42# by surfaceflinger Binder service, which apps are permitted to access 43# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec 44# Binder service which apps were permitted to access. 45# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice. 46neverallow all_untrusted_apps ~{ 47 fwk_bufferhub_hwservice # coredomain_hwservice. Designed for use by any domain 48 hal_cas_hwservice 49 hal_codec2_hwservice 50 hal_configstore_ISurfaceFlingerConfigs 51 hal_drm_hwservice # technical_debt.cil 52 hal_graphics_allocator_hwservice 53 hal_graphics_mapper_hwservice # same process services 54 hal_neuralnetworks_hwservice # AOSP:589714 55 hal_omx_hwservice 56 hal_renderscript_hwservice # same process services 57 hidl_allocator_hwservice # coredomain_hwservice. Designed for use by any domain 58 hidl_manager_hwservice # coredomain_hwservice. Designed for use by any domain 59 hidl_memory_hwservice # coredomain_hwservice. Designed for use by any domain 60 hidl_token_hwservice # coredomain_hwservice. Designed for use by any domain 61 mtk_safe_hwservice_manager_type 62}:hwservice_manager find; 63 64# Restrict *Binder access from apps to HAL domains. We can only do this on full 65# Treble devices where *Binder communications between apps and HALs are tightly 66# restricted. 67full_treble_only(` 68 neverallow all_untrusted_apps { 69 halserverdomain 70 -coredomain 71 -hal_cas_server 72 -hal_codec2_server 73 -hal_configstore_server 74 -hal_drm_server 75 -hal_graphics_allocator_server 76 -hal_neuralnetworks_server 77 -hal_omx_server 78 -mtk_safe_halserverdomain_type 79}:binder { call transfer }; 80') 81