ubuntu-phonedations-bugs team mailing list archive

Thread
Date
[Bug 1197134] Re: All SDK applications require access to /dev/binder

To: ubuntu-phonedations-bugs@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 16 Oct 2013 21:25:58 -0000
Reply-to: Bug 1197134 <1197134@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Description changed:

  SDK applications need the following AppArmor policy to run:
  
    /dev/binder rw,
  
  The writes to /dev/binder allow applications to attack binder directly
- which weakens our application confinement policy.
+ which weakens our application confinement policy because there is no
+ mediation between binder services.
  
- Update 2013-09-04 (audioflinger and media service are not used anymore):
- All apps currently need this access because of surface flinger. The following are the binder services that Ubuntu currently uses:
- - surface flinger
+ All apps currently need this access because of the sensors service (even on mir). The following are the binder services that Ubuntu currently uses:
  - camera
  - sensors
+ - surface flinger (only used as fallback now)
  
  location was in this group but is already moved away. vibrate is not
  implemented but when it is it will only use our API (ie, not binder). Of
- the 5 remaining binder services listed above, surface flinger, audio
- flinger and the media service are being moved to HAL (ie, don't use
- binder but use the device directly via the generalized HAL API). Camera
- should move to HAL in 14.04, and sensors may in 14.04 or later.
+ the remaining binder services listed above, camera is moving to HAL in
+ 14.04 and sensors shoudl also move there as well in 14.04.
  
- Therefore, when surface flinger is no longer used, we can remove
- /dev/binder from the ubuntu-sdk apparmor template, and move it into the
- various policy groups. As we move to HAL in the various services, we'll
- update those policy groups to remove /dev/binder as well.
+ This bug will be resolved when /dev/binder is no longer used or it is
+ only used by one service and therefore the /dev/binder access can move
+ into the appropriate policy group.
  
- Update 2013-09-03:
- Unfortunately when I tested Mir on mako recently, applications failed to start if I took away access to /dev/binder. Eg:
- Aug 23 21:18:13 ubuntu-phablet kernel: [ 9531.171096] type=1400
- audit(1377292693.295:596): apparmor="DENIED" operation="open" parent=769
- profile="com.ubuntu.developer.jdstrand.evilapp_evilapp_0.5" name="/dev/binder"
- pid=6035 comm="qmlscene" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=0
- Aug 23 21:24:16 ubuntu-phablet kernel: [ 9894.826978] type=1400
- audit(1377293056.953:1109): apparmor="DENIED" operation="open" parent=769
- profile="com.ubuntu.developer.mhall119.xda-developers-app_xda-developers_0.1.5"
- name="/dev/binder" pid=6415 comm="qmlscene" requested_mask="rw" denied_mask="rw"
- fsuid=32011 ouid=0
- 
- Why would an app on Mir need access to /dev/binder? Does
- libhybris need to be updated in some way?
- 
- I verified that surface_flinger is not running:
- $ ps auxww | grep [s]urf
- $
- 
- Getting rid of /dev/binder access (ie, executing our plan as of
- 2013-08-08) is critical for fine-grained application confinement to
- work.
- 
- Update 2013-10-16:
- This is still an issue on image 99. ricmm mentioned that all applications use the sensors so all applications have access to binder-- so this is why even mir applications need it.
+ Right now, because all apps needs access to /dev/binder, all apps end up
+ with access to the camera and sensors services even when these policy
+ groups are not specified. Getting rid of /dev/binder access is for fine-
+ grained application confinement to work correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Phonedations bugs, which is a bug assignee.
https://bugs.launchpad.net/bugs/1197134

Title:
  All SDK applications require access to /dev/binder

Status in Touch Preview Images:
  New
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Triaged
Status in “lxc-android-config” package in Ubuntu:
  Confirmed
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
  Won't Fix
Status in “lxc-android-config” source package in Saucy:
  Confirmed
Status in “apparmor-easyprof-ubuntu” source package in t-series:
  Confirmed
Status in “lxc-android-config” source package in t-series:
  New

Bug description:
  SDK applications need the following AppArmor policy to run:

    /dev/binder rw,

  The writes to /dev/binder allow applications to attack binder directly
  which weakens our application confinement policy because there is no
  mediation between binder services.

  All apps currently need this access because of the sensors service (even on mir). The following are the binder services that Ubuntu currently uses:
  - camera
  - sensors
  - surface flinger (only used as fallback now)

  location was in this group but is already moved away. vibrate is not
  implemented but when it is it will only use our API (ie, not binder).
  Of the remaining binder services listed above, camera is moving to HAL
  in 14.04 and sensors shoudl also move there as well in 14.04.

  This bug will be resolved when /dev/binder is no longer used or it is
  only used by one service and therefore the /dev/binder access can move
  into the appropriate policy group.

  Right now, because all apps needs access to /dev/binder, all apps end
  up with access to the camera and sensors services even when these
  policy groups are not specified. Getting rid of /dev/binder access is
  for fine-grained application confinement to work correctly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/touch-preview-images/+bug/1197134/+subscriptions