Allow binder services to r/w su:tcp_socket
Test: binderHostDeviceTest
Bug: 182914638
Change-Id: I1c8d3b2194bc20bd2bcde566190aa5c73d7e7db9
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..feda8d4 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -95,7 +95,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow audioserver domain:{ udp_socket rawip_socket } *;
+neverallow audioserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow using wake locks
wakelock_use(audioserver)
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 2a43cf9..d812525 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -61,4 +61,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediatranscoding domain:{ udp_socket rawip_socket } *;
+neverallow mediatranscoding { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..d7451df 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -53,7 +53,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
# Allow shell commands from ADB for CTS testing/dumping
allow cameraserver adbd:fd use;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 4117878..0214e2a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -25,7 +25,21 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
+} domain:{ udp_socket rawip_socket } *;
+
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_can_controller_server
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} {
+ domain
+ userdebug_or_eng(`-su')
+}:tcp_socket *;
###
# HALs are defined as an attribute and so a given domain could hypothetically
diff --git a/public/hal_omx.te b/public/hal_omx.te
index 8e74383..2611dcd 100644
--- a/public/hal_omx.te
+++ b/public/hal_omx.te
@@ -46,4 +46,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_omx_server domain:{ udp_socket rawip_socket } *;
+neverallow hal_omx_server { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/iorapd.te b/public/iorapd.te
index b970699..b772af8 100644
--- a/public/iorapd.te
+++ b/public/iorapd.te
@@ -94,4 +94,5 @@
}:binder call;
neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow iorapd domain:{ udp_socket rawip_socket } *;
+neverallow iorapd { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..a29e5dc 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -59,7 +59,8 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediaextractor domain:{ udp_socket rawip_socket } *;
+neverallow mediaextractor { domain userdebug_or_eng(`-su') }:tcp_socket *;
# mediaextractor should not be opening /data files directly. Any files
# it touches (with a few exceptions) need to be passed to it via a file
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..76f819e 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -42,4 +42,5 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediametrics domain:{ udp_socket rawip_socket } *;
+neverallow mediametrics { domain userdebug_or_eng(`-su') }:tcp_socket *;
diff --git a/public/te_macros b/public/te_macros
index 8d15d47..2a218cb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -670,6 +670,12 @@
define(`add_service', `
allow $1 $2:service_manager { add find };
neverallow { domain -$1 } $2:service_manager add;
+
+ # On debug builds with root, allow binder services to use binder over TCP.
+ # Not using rw_socket_perms_no_ioctl to avoid granting too many permissions.
+ userdebug_or_eng(`
+ allow $1 su:tcp_socket { accept getopt read write };
+ ')
')
###########################################
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..8587e12 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -34,5 +34,6 @@
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow mediacodec domain:{ udp_socket rawip_socket } *;
+neverallow mediacodec { domain userdebug_or_eng(`-su') }:tcp_socket *;