Snap for 6823548 from 6ee8dcd to rvc-qpr1-release

android-build-team Robot · android-build-team Robot · commit c864b4c2438e · 2020-09-09T23:08:02.000Z
Change-Id: I75f8c30e4d4eb8f0b7229772e8b1a0aa3395acfa
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
@@ -973,6 +973,9 @@ get_prop(system_server, time_prop)
 # on low memory kills.
 get_prop(system_server, system_lmk_prop)
 
+# Only system server can access BINDER_FREEZE
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+
 ###
 ### Neverallow rules
 ###
@@ -1172,3 +1175,7 @@ neverallow system_server self:perf_event ~{ open write cpu kernel };
 
 # Do not allow any domain other than init or system server to set the property
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
@@ -80,6 +80,10 @@ allow domain ashmem_libcutils_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
 
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
 # /dev/binderfs needs to be accessed by everyone too!
 allow domain binderfs:dir { getattr search };
 allow domain binderfs_logs_proc:dir search;
diff --git a/prebuilts/api/30.0/public/ioctl_defines b/prebuilts/api/30.0/public/ioctl_defines
@@ -132,7 +132,11 @@ define(`BC_RELEASE', `0x40046306')
 define(`BC_REPLY', `0x40406301')
 define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
 define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
 define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
 define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
 define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
 define(`BINDER_SET_MAX_THREADS', `0x40046205')
diff --git a/prebuilts/api/30.0/public/ioctl_macros b/prebuilts/api/30.0/public/ioctl_macros
@@ -66,3 +66,11 @@ PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
 PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
 PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
 }')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')
diff --git a/private/system_server.te b/private/system_server.te
@@ -973,6 +973,9 @@ get_prop(system_server, time_prop)
 # on low memory kills.
 get_prop(system_server, system_lmk_prop)
 
+# Only system server can access BINDER_FREEZE
+allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE };
+
 ###
 ### Neverallow rules
 ###
@@ -1172,3 +1175,7 @@ neverallow system_server self:perf_event ~{ open write cpu kernel };
 
 # Do not allow any domain other than init or system server to set the property
 neverallow { domain -init -system_server } socket_hook_prop:property_service set;
+
+# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
+# can be accessed by system_server only (b/143717177)
+neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE };
diff --git a/public/domain.te b/public/domain.te
@@ -80,6 +80,10 @@ allow domain ashmem_libcutils_device:chr_file rw_file_perms;
 # /dev/binder can be accessed by ... everyone! :)
 allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
 
+# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
+# added to individual domains, but this sets safe defaults for all processes.
+allowxperm domain binder_device:chr_file ioctl unpriv_binder_ioctls;
+
 # /dev/binderfs needs to be accessed by everyone too!
 allow domain binderfs:dir { getattr search };
 allow domain binderfs_logs_proc:dir search;
diff --git a/public/ioctl_defines b/public/ioctl_defines
@@ -132,7 +132,11 @@ define(`BC_RELEASE', `0x40046306')
 define(`BC_REPLY', `0x40406301')
 define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
 define(`BC_TRANSACTION', `0x40406300')
+define(`BINDER_FREEZE', `0x400c620e')
+define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
+define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
 define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
 define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
 define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
 define(`BINDER_SET_MAX_THREADS', `0x40046205')
diff --git a/public/ioctl_macros b/public/ioctl_macros
@@ -66,3 +66,11 @@ PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
 PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
 PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
 }')
+
+# unprivileged binder ioctls
+define(`unpriv_binder_ioctls', `{
+BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
+BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
+BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
+BINDER_SET_CONTEXT_MGR_EXT
+}')
