Is there a good reason (and what can it be) to require DAC restriction on IPC in addition to SELinux rules?


Our company is developing an AOSP-based platform for our customer. Some of our vendor services are using HWBinder for IPC which is using SELinux to restrict service discovery and access. The problem is that our customer insists that SELinux restriction is not enough and we need to provide a DAC-based restriction as well.

Our customer is basing this requirement on a security audit that was conducted on an earlier version of the platform. This security audit, however, didn’t evaluate HWBinder IPC, but a socket-based IPC that was used in older services. The issue that was highlighted during this audit is that Unix sockets had 0666 access and a recommendation was to change it to 0660 and use Unix groups to allow only specific services to access the socket.

For some reason our customer is now requiring to apply the same (or similar) approach to HWBinder IPC which, however, doesn’t have anything to attach these permissions to.

Unfortunately so far I couldn’t get a straight answer regarding their threat model, so my question is: Does it even make sense to require DAC + SELinux and if so, what threat model should I be considering to properly implement this restriction?

Also, any ideas regarding how I can get our customer an additional layer of security without changing the IPC method would be greatly appreciated.