2017-08-10 21:22:44 +02:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2017 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "security.h"
|
|
|
|
|
|
|
|
#include <errno.h>
|
|
|
|
#include <fcntl.h>
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
#include <linux/perf_event.h>
|
|
|
|
#include <sys/ioctl.h>
|
|
|
|
#include <sys/syscall.h>
|
2017-08-10 21:22:44 +02:00
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
#include <fstream>
|
|
|
|
|
|
|
|
#include <android-base/logging.h>
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
#include <android-base/properties.h>
|
2017-08-10 21:22:44 +02:00
|
|
|
#include <android-base/unique_fd.h>
|
|
|
|
|
|
|
|
using android::base::unique_fd;
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
using android::base::SetProperty;
|
2017-08-10 21:22:44 +02:00
|
|
|
|
|
|
|
namespace android {
|
|
|
|
namespace init {
|
|
|
|
|
|
|
|
// Writes 512 bytes of output from Hardware RNG (/dev/hw_random, backed
|
|
|
|
// by Linux kernel's hw_random framework) into Linux RNG's via /dev/urandom.
|
|
|
|
// Does nothing if Hardware RNG is not present.
|
|
|
|
//
|
|
|
|
// Since we don't yet trust the quality of Hardware RNG, these bytes are not
|
|
|
|
// mixed into the primary pool of Linux RNG and the entropy estimate is left
|
|
|
|
// unmodified.
|
|
|
|
//
|
|
|
|
// If the HW RNG device /dev/hw_random is present, we require that at least
|
|
|
|
// 512 bytes read from it are written into Linux RNG. QA is expected to catch
|
|
|
|
// devices/configurations where these I/O operations are blocking for a long
|
|
|
|
// time. We do not reboot or halt on failures, as this is a best-effort
|
|
|
|
// attempt.
|
2019-06-10 20:08:01 +02:00
|
|
|
Result<void> MixHwrngIntoLinuxRngAction(const BuiltinArguments&) {
|
2017-08-10 21:22:44 +02:00
|
|
|
unique_fd hwrandom_fd(
|
|
|
|
TEMP_FAILURE_RETRY(open("/dev/hw_random", O_RDONLY | O_NOFOLLOW | O_CLOEXEC)));
|
|
|
|
if (hwrandom_fd == -1) {
|
|
|
|
if (errno == ENOENT) {
|
|
|
|
LOG(INFO) << "/dev/hw_random not found";
|
|
|
|
// It's not an error to not have a Hardware RNG.
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
2017-08-01 22:50:23 +02:00
|
|
|
return ErrnoError() << "Failed to open /dev/hw_random";
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
unique_fd urandom_fd(
|
|
|
|
TEMP_FAILURE_RETRY(open("/dev/urandom", O_WRONLY | O_NOFOLLOW | O_CLOEXEC)));
|
|
|
|
if (urandom_fd == -1) {
|
2017-08-01 22:50:23 +02:00
|
|
|
return ErrnoError() << "Failed to open /dev/urandom";
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
char buf[512];
|
|
|
|
size_t total_bytes_written = 0;
|
|
|
|
while (total_bytes_written < sizeof(buf)) {
|
|
|
|
ssize_t chunk_size =
|
|
|
|
TEMP_FAILURE_RETRY(read(hwrandom_fd, buf, sizeof(buf) - total_bytes_written));
|
|
|
|
if (chunk_size == -1) {
|
2017-08-01 22:50:23 +02:00
|
|
|
return ErrnoError() << "Failed to read from /dev/hw_random";
|
2017-08-10 21:22:44 +02:00
|
|
|
} else if (chunk_size == 0) {
|
2017-08-01 22:50:23 +02:00
|
|
|
return Error() << "Failed to read from /dev/hw_random: EOF";
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
chunk_size = TEMP_FAILURE_RETRY(write(urandom_fd, buf, chunk_size));
|
|
|
|
if (chunk_size == -1) {
|
2017-08-01 22:50:23 +02:00
|
|
|
return ErrnoError() << "Failed to write to /dev/urandom";
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
total_bytes_written += chunk_size;
|
|
|
|
}
|
|
|
|
|
|
|
|
LOG(INFO) << "Mixed " << total_bytes_written << " bytes from /dev/hw_random into /dev/urandom";
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
2019-07-10 20:18:24 +02:00
|
|
|
static bool SetHighestAvailableOptionValue(const std::string& path, int min, int max) {
|
2017-08-10 21:22:44 +02:00
|
|
|
std::ifstream inf(path, std::fstream::in);
|
|
|
|
if (!inf) {
|
|
|
|
LOG(ERROR) << "Cannot open for reading: " << path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
int current = max;
|
|
|
|
while (current >= min) {
|
|
|
|
// try to write out new value
|
|
|
|
std::string str_val = std::to_string(current);
|
|
|
|
std::ofstream of(path, std::fstream::out);
|
|
|
|
if (!of) {
|
|
|
|
LOG(ERROR) << "Cannot open for writing: " << path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
of << str_val << std::endl;
|
|
|
|
of.close();
|
|
|
|
|
|
|
|
// check to make sure it was recorded
|
|
|
|
inf.seekg(0);
|
|
|
|
std::string str_rec;
|
|
|
|
inf >> str_rec;
|
|
|
|
if (str_val.compare(str_rec) == 0) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
current--;
|
|
|
|
}
|
|
|
|
inf.close();
|
|
|
|
|
|
|
|
if (current < min) {
|
|
|
|
LOG(ERROR) << "Unable to set minimum option value " << min << " in " << path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
#define MMAP_RND_PATH "/proc/sys/vm/mmap_rnd_bits"
|
|
|
|
#define MMAP_RND_COMPAT_PATH "/proc/sys/vm/mmap_rnd_compat_bits"
|
|
|
|
|
2020-02-21 22:25:54 +01:00
|
|
|
static bool SetMmapRndBitsMin(int start, int min, bool compat) {
|
2017-08-10 21:22:44 +02:00
|
|
|
std::string path;
|
|
|
|
if (compat) {
|
|
|
|
path = MMAP_RND_COMPAT_PATH;
|
|
|
|
} else {
|
|
|
|
path = MMAP_RND_PATH;
|
|
|
|
}
|
|
|
|
|
|
|
|
return SetHighestAvailableOptionValue(path, min, start);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Set /proc/sys/vm/mmap_rnd_bits and potentially
|
|
|
|
// /proc/sys/vm/mmap_rnd_compat_bits to the maximum supported values.
|
|
|
|
// Returns -1 if unable to set these to an acceptable value.
|
|
|
|
//
|
|
|
|
// To support this sysctl, the following upstream commits are needed:
|
|
|
|
//
|
|
|
|
// d07e22597d1d mm: mmap: add new /proc tunable for mmap_base ASLR
|
|
|
|
// e0c25d958f78 arm: mm: support ARCH_MMAP_RND_BITS
|
|
|
|
// 8f0d3aa9de57 arm64: mm: support ARCH_MMAP_RND_BITS
|
|
|
|
// 9e08f57d684a x86: mm: support ARCH_MMAP_RND_BITS
|
|
|
|
// ec9ee4acd97c drivers: char: random: add get_random_long()
|
|
|
|
// 5ef11c35ce86 mm: ASLR: use get_random_long()
|
2019-06-10 20:08:01 +02:00
|
|
|
Result<void> SetMmapRndBitsAction(const BuiltinArguments&) {
|
2017-08-10 21:22:44 +02:00
|
|
|
// values are arch-dependent
|
|
|
|
#if defined(USER_MODE_LINUX)
|
|
|
|
// uml does not support mmap_rnd_bits
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
#elif defined(__aarch64__)
|
|
|
|
// arm64 supports 18 - 33 bits depending on pagesize and VA_SIZE
|
|
|
|
if (SetMmapRndBitsMin(33, 24, false) && SetMmapRndBitsMin(16, 16, true)) {
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
#elif defined(__x86_64__)
|
|
|
|
// x86_64 supports 28 - 32 bits
|
|
|
|
if (SetMmapRndBitsMin(32, 32, false) && SetMmapRndBitsMin(16, 16, true)) {
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
#elif defined(__arm__) || defined(__i386__)
|
|
|
|
// check to see if we're running on 64-bit kernel
|
|
|
|
bool h64 = !access(MMAP_RND_COMPAT_PATH, F_OK);
|
|
|
|
// supported 32-bit architecture must have 16 bits set
|
|
|
|
if (SetMmapRndBitsMin(16, 16, h64)) {
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
#else
|
|
|
|
LOG(ERROR) << "Unknown architecture";
|
|
|
|
#endif
|
|
|
|
|
2017-08-18 02:28:30 +02:00
|
|
|
LOG(FATAL) << "Unable to set adequate mmap entropy value!";
|
2017-08-01 22:50:23 +02:00
|
|
|
return Error();
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
#define KPTR_RESTRICT_PATH "/proc/sys/kernel/kptr_restrict"
|
|
|
|
#define KPTR_RESTRICT_MINVALUE 2
|
|
|
|
#define KPTR_RESTRICT_MAXVALUE 4
|
|
|
|
|
|
|
|
// Set kptr_restrict to the highest available level.
|
|
|
|
//
|
|
|
|
// Aborts if unable to set this to an acceptable value.
|
2019-06-10 20:08:01 +02:00
|
|
|
Result<void> SetKptrRestrictAction(const BuiltinArguments&) {
|
2017-08-10 21:22:44 +02:00
|
|
|
std::string path = KPTR_RESTRICT_PATH;
|
|
|
|
|
|
|
|
if (!SetHighestAvailableOptionValue(path, KPTR_RESTRICT_MINVALUE, KPTR_RESTRICT_MAXVALUE)) {
|
2017-08-18 02:28:30 +02:00
|
|
|
LOG(FATAL) << "Unable to set adequate kptr_restrict value!";
|
2017-08-01 22:50:23 +02:00
|
|
|
return Error();
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2017-08-10 21:22:44 +02:00
|
|
|
}
|
|
|
|
|
init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
|
|
|
// Test for whether the kernel has SELinux hooks for the perf_event_open()
|
|
|
|
// syscall. If the hooks are present, we can stop using the other permission
|
|
|
|
// mechanism (perf_event_paranoid sysctl), and use only the SELinux policy to
|
|
|
|
// control access to the syscall. The hooks are expected on all Android R
|
|
|
|
// release kernels, but might be absent on devices that upgrade while keeping an
|
|
|
|
// older kernel.
|
|
|
|
//
|
|
|
|
// There is no direct/synchronous way of finding out that a syscall failed due
|
|
|
|
// to SELinux. Therefore we test for a combination of a success and a failure
|
|
|
|
// that are explained by the platform's SELinux policy for the "init" domain:
|
|
|
|
// * cpu-scoped perf_event is allowed
|
|
|
|
// * ioctl() on the event fd is disallowed with EACCES
|
|
|
|
//
|
|
|
|
// Since init has CAP_SYS_ADMIN, these tests are not affected by the system-wide
|
|
|
|
// perf_event_paranoid sysctl.
|
|
|
|
//
|
|
|
|
// If the SELinux hooks are detected, a special sysprop
|
|
|
|
// (sys.init.perf_lsm_hooks) is set, which translates to a modification of
|
|
|
|
// perf_event_paranoid (through init.rc sysprop actions).
|
|
|
|
//
|
|
|
|
// TODO(b/137092007): this entire test can be removed once the platform stops
|
|
|
|
// supporting kernels that precede the perf_event_open hooks (Android common
|
|
|
|
// kernels 4.4 and 4.9).
|
|
|
|
Result<void> TestPerfEventSelinuxAction(const BuiltinArguments&) {
|
|
|
|
// Use a trivial event that will be configured, but not started.
|
|
|
|
struct perf_event_attr pe = {
|
|
|
|
.type = PERF_TYPE_SOFTWARE,
|
|
|
|
.size = sizeof(struct perf_event_attr),
|
|
|
|
.config = PERF_COUNT_SW_TASK_CLOCK,
|
|
|
|
.disabled = 1,
|
|
|
|
.exclude_kernel = 1,
|
|
|
|
};
|
|
|
|
|
|
|
|
// Open the above event targeting cpu 0. (EINTR not possible.)
|
|
|
|
unique_fd fd(static_cast<int>(syscall(__NR_perf_event_open, &pe, /*pid=*/-1,
|
|
|
|
/*cpu=*/0,
|
|
|
|
/*group_fd=*/-1, /*flags=*/0)));
|
|
|
|
if (fd == -1) {
|
|
|
|
PLOG(ERROR) << "Unexpected perf_event_open error";
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
|
|
|
|
int ioctl_ret = ioctl(fd, PERF_EVENT_IOC_RESET);
|
|
|
|
if (ioctl_ret != -1) {
|
|
|
|
// Success implies that the kernel doesn't have the hooks.
|
|
|
|
return {};
|
|
|
|
} else if (errno != EACCES) {
|
|
|
|
PLOG(ERROR) << "Unexpected perf_event ioctl error";
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
|
|
|
|
// Conclude that the SELinux hooks are present.
|
|
|
|
SetProperty("sys.init.perf_lsm_hooks", "1");
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
} // namespace init
|
|
|
|
} // namespace android
|