Update binder-related policy. The binder_transfer_binder hook was changed in the kernel, obsoleting the receive permission and changing the target of the transfer permission. Update the binder-related policy to match the revised permission checking. Change-Id: I1ed0dadfde2efa93296e967eb44ca1314cf28586 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 9ce99e3908fcd81430bc9612e5d86819939b6db2 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Nov 16 09:17:54 2012 -0500
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 19 22:48:17 2013 +0000
tree: a06a56484894250c96481814ed645bf4c89b8207
parent: 1f5939a97647bb71414588be8f26114773edceaf [diff]
diff --git a/access_vectors b/access_vectors
index 4de3463..b039b0b 100644
--- a/access_vectors
+++ b/access_vectors

@@ -871,7 +871,6 @@
 	call
 	set_context_mgr
 	transfer
-	receive
 }
 
 class zygote

diff --git a/app.te b/app.te
index 65d710a..de7b7d0 100644
--- a/app.te
+++ b/app.te

@@ -188,10 +188,8 @@
 binder_use(appdomain)
 # Perform binder IPC to binder services.
 binder_call(appdomain, binderservicedomain)
-binder_transfer(appdomain, binderservicedomain)
 # Perform binder IPC to other apps.
 binder_call(appdomain, appdomain)
-binder_transfer(appdomain, appdomain)
 
 # Appdomain interaction with isolated apps
 r_dir_file(appdomain, isolated_app)

diff --git a/mediaserver.te b/mediaserver.te
index f5274d9..f941c6a 100644
--- a/mediaserver.te
+++ b/mediaserver.te

@@ -13,7 +13,6 @@
 binder_use(mediaserver)
 binder_call(mediaserver, binderservicedomain)
 binder_call(mediaserver, appdomain)
-binder_transfer(mediaserver, surfaceflinger)
 binder_service(mediaserver)
 
 allow mediaserver kernel:system module_request;

diff --git a/servicemanager.te b/servicemanager.te
index fefbe08..a78a485 100644
--- a/servicemanager.te
+++ b/servicemanager.te

@@ -11,4 +11,4 @@
 # created by other domains.  It never passes its own references
 # or initiates a Binder IPC.
 allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder { receive transfer };
+allow servicemanager domain:binder transfer;

diff --git a/surfaceflinger.te b/surfaceflinger.te
index 10a57ee..30b1816 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -12,6 +12,7 @@
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system)
 binder_service(surfaceflinger)
+allow surfaceflinger init:binder transfer;
 
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;

diff --git a/system.te b/system.te
index 192b14f..7e207c3 100644
--- a/system.te
+++ b/system.te

@@ -8,7 +8,6 @@
 
 # Perform binder IPC to any app domain.
 binder_call(system_app, appdomain)
-binder_transfer(system_app, appdomain)
 
 # Read and write system data files.
 # May want to split into separate types.
@@ -121,9 +120,6 @@
 binder_call(system, binderservicedomain)
 binder_call(system, appdomain)
 binder_service(system)
-# Transfer other Binder references.
-binder_transfer(system, binderservicedomain)
-binder_transfer(system, appdomain)
 
 # Read /proc/pid files for Binder clients.
 r_dir_file(system, appdomain)

diff --git a/te_macros b/te_macros
index 6354496..7883c40 100644
--- a/te_macros
+++ b/te_macros

@@ -152,10 +152,8 @@
 # binder_use(domain)
 # Allow domain to use Binder IPC.
 define(`binder_use', `
-# Get Binder references from the servicemanager.
-allow $1 servicemanager:binder call;
-# Transfer and receive own Binder references.
-allow $1 self:binder { transfer receive };
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
 # Map /dev/ashmem with PROT_EXEC.
 allow $1 ashmem_device:chr_file execute;
 # rw access to /dev/binder and /dev/ashmem is presently granted to
@@ -166,20 +164,15 @@
 # binder_call(clientdomain, serverdomain)
 # Allow clientdomain to perform binder IPC to serverdomain.
 define(`binder_call', `
-# First we receive a Binder ref to the server, then we call it.
-allow $1 $2:binder { receive call };
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
 # Receive and use open files from the server.
 allow $1 $2:fd use;
 ')
 
 #####################################
-# binder_transfer(clientdomain, serverdomain)
-# Allow clientdomain to transfer Binder references created by serverdomain.
-define(`binder_transfer', `
-allow $1 $2:binder transfer;
-')
-
-#####################################
 # binder_service(domain)
 # Mark a domain as being a Binder service domain.
 # Used to allow binder IPC to the various system services.

diff --git a/unconfined.te b/unconfined.te
index ff53595..e016584 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -20,5 +20,5 @@
 allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
-allow unconfineddomain domain:binder { call transfer receive };
+allow unconfineddomain domain:binder { call transfer };
 allow unconfineddomain property_type:property_service set;
commit	9ce99e3908fcd81430bc9612e5d86819939b6db2	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Nov 16 09:17:54 2012 -0500
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Mar 19 22:48:17 2013 +0000
tree	a06a56484894250c96481814ed645bf4c89b8207
parent	1f5939a97647bb71414588be8f26114773edceaf [diff]