platform_system_core/init/security.h

37 lines
1 KiB
C
Raw Normal View History

/*
* Copyright (C) 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef _INIT_SECURITY_H
#define _INIT_SECURITY_H
#include <string>
#include <vector>
#include "builtin_arguments.h"
#include "result.h"
namespace android {
namespace init {
Result<void> SetMmapRndBitsAction(const BuiltinArguments&);
Result<void> SetKptrRestrictAction(const BuiltinArguments&);
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
Result<void> TestPerfEventSelinuxAction(const BuiltinArguments&);
} // namespace init
} // namespace android
#endif