tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/init/security.cpp

235 lines
8.2 KiB
C++
Raw Normal View History

init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
/*
* Copyright (C) 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "security.h"
init: don't touch mmap_rnd_compat_bits on 64-bit only builds mmap_rnd_compat_bits is for address space randomization of 32-bit applications on 64-bit system. Configuring it is not only unnecessary for 64-bit "only" builds, but also can cause a boot failure if the kernel is built without CONFIG_COMPAT which is the case for Microdroid. Use ro.product.abilist32 to determine whether 32-bit applications are supported and if not, don't configure it, but mmap_rnd_bits. Bug: 237950549 Test: run Microdroid with the kernel built with aosp/2153639 Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
2022-07-15 06:44:14 +02:00
#include "util.h"
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
#include <errno.h>
#include <fcntl.h>
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
#include <linux/perf_event.h>
x86_64: mmap rnd bits: Allow min bits of less than 32 With a regular x86 kernel we are always able to get 32 min bits for mmap randomization. However to emulate 16KB for x86 app developers the kernel can only provide 30 bits for the randomization due the to larger page size (PAGE_SHIFT =+ 2). Allow the min rand bits to be (32 - (PAGE_SHIFT - 12)) in order to generically support larger than 4KB page sizes. This should be a no-op change for all devices, except the x86 16KB emulator, since they will always be able to get 32 random bits. Bug: 309816695 Test: Boot test 4k x86 device Test: Boot test emulated 16k x86 device Change-Id: I48d47d56ac3aecb71a9e0093a7033bb60b89c2b7 Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2023-07-14 23:29:42 +02:00
#include <math.h>
dev devices with permissive boot: disable perf_event_paranoid Some functionality based on eBPF attached to tracepoints (gpu memory accounting and time-in-state) rely on newer devices running with "disabled" perf_event_paranoid controls as a result of the kernel having LSM hooks in the perf_event_open syscall instead. This is tested for, and set up by init via the sys.init.perf_lsm_hooks sysprop. Development devices that boot into permissive mode still want the eBPF-based functionality to work, but end up with a paranoid value that disallows the syscall, as the LSM hook test expects to observe a SELinux denial (which doesn't happen due to permissiveness). As a pragmatic way of achieving the paranoid value override, we pretend that the hook test has succeeded if we detect permissive SELinux during second-stage init. It'd be nicer if we had a sysprop to reflect the device's on-boot status of SELinux, but it's not worth adding for this case. BYPASS_INCLUSIVE_LANGUAGE_REASON=technical term Bug: 170674916 Tested: booted crosshatch-userdebug with permissive kernel cmdline, confirmed that the log message from the new codepath was present in logcat, sysprop is 1, and paranoid is -1. Change-Id: I9df5da2076cdbd777d35e50e8cd7a483ec85e20a
2020-10-28 19:01:35 +01:00
#include <selinux/selinux.h>
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
#include <sys/ioctl.h>
#include <sys/syscall.h>
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
#include <unistd.h>
#include <fstream>
#include <android-base/logging.h>
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
#include <android-base/properties.h>
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
#include <android-base/unique_fd.h>
using android::base::unique_fd;
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
using android::base::SetProperty;
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
namespace android {
namespace init {
init: fix clang-tidy performance issues Test: boot, init unit tests Change-Id: Iccf34d2fedfa543dd9f29e010cbb6d8fe9cf5983
2019-07-10 20:18:24 +02:00
static bool SetHighestAvailableOptionValue(const std::string& path, int min, int max) {
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
std::ifstream inf(path, std::fstream::in);
if (!inf) {
LOG(ERROR) << "Cannot open for reading: " << path;
return false;
}
int current = max;
while (current >= min) {
// try to write out new value
std::string str_val = std::to_string(current);
std::ofstream of(path, std::fstream::out);
if (!of) {
LOG(ERROR) << "Cannot open for writing: " << path;
return false;
}
of << str_val << std::endl;
of.close();
// check to make sure it was recorded
inf.seekg(0);
std::string str_rec;
inf >> str_rec;
if (str_val.compare(str_rec) == 0) {
break;
}
current--;
}
inf.close();
if (current < min) {
LOG(ERROR) << "Unable to set minimum option value " << min << " in " << path;
return false;
}
return true;
}
#define MMAP_RND_PATH "/proc/sys/vm/mmap_rnd_bits"
#define MMAP_RND_COMPAT_PATH "/proc/sys/vm/mmap_rnd_compat_bits"
Remove various bits of dead code and unused workarounds. Test: treehugger Change-Id: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e Merged-In: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e
2020-02-21 22:25:54 +01:00
static bool SetMmapRndBitsMin(int start, int min, bool compat) {
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
std::string path;
if (compat) {
path = MMAP_RND_COMPAT_PATH;
} else {
path = MMAP_RND_PATH;
}
return SetHighestAvailableOptionValue(path, min, start);
}
// Set /proc/sys/vm/mmap_rnd_bits and potentially
// /proc/sys/vm/mmap_rnd_compat_bits to the maximum supported values.
Enhance documentation about SetMmapRndBitsAction Bug: N/A Test: N/A Change-Id: I0408158d181ef08831a55e1381477f5b128a5c52
2022-07-18 02:17:39 +02:00
// Returns an error if unable to set these to an acceptable value.
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
//
// To support this sysctl, the following upstream commits are needed:
//
// d07e22597d1d mm: mmap: add new /proc tunable for mmap_base ASLR
// e0c25d958f78 arm: mm: support ARCH_MMAP_RND_BITS
// 8f0d3aa9de57 arm64: mm: support ARCH_MMAP_RND_BITS
// 9e08f57d684a x86: mm: support ARCH_MMAP_RND_BITS
// ec9ee4acd97c drivers: char: random: add get_random_long()
// 5ef11c35ce86 mm: ASLR: use get_random_long()
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
Result<void> SetMmapRndBitsAction(const BuiltinArguments&) {
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
// values are arch-dependent
#if defined(USER_MODE_LINUX)
// uml does not support mmap_rnd_bits
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
return {};
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
#elif defined(__aarch64__)
arm64: update the "minimum maximum" comment. Noticed while looking at riscv64. Looks like a bug, but actually nothing we can do about it now or for the foreseeable future. Bug: https://github.com/google/android-riscv64/issues/45 Test: treehugger Change-Id: I2be81b2fd7095df40958a1f641d7b89cf5a8e41d
2023-09-19 20:40:03 +02:00
// arm64 supports 14 - 33 rnd bits depending on page size and ARM64_VA_BITS.
// The kernel (6.5) still defaults to 39 va bits for 4KiB pages, so shipping
// devices are only getting 24 bits of randomness in practice.
init: don't touch mmap_rnd_compat_bits on 64-bit only builds mmap_rnd_compat_bits is for address space randomization of 32-bit applications on 64-bit system. Configuring it is not only unnecessary for 64-bit "only" builds, but also can cause a boot failure if the kernel is built without CONFIG_COMPAT which is the case for Microdroid. Use ro.product.abilist32 to determine whether 32-bit applications are supported and if not, don't configure it, but mmap_rnd_bits. Bug: 237950549 Test: run Microdroid with the kernel built with aosp/2153639 Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
2022-07-15 06:44:14 +02:00
if (SetMmapRndBitsMin(33, 24, false) && (!Has32BitAbi() || SetMmapRndBitsMin(16, 16, true))) {
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
return {};
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
Add mmap_rnd_bits routine for riscv64 Signed-off-by: Mao Han <han_mao@linux.alibaba.com> Change-Id: Ide793f4365fee67f30e35302365c4a7a5ba1f021
2022-10-12 16:25:06 +02:00
#elif defined(__riscv)
riscv64: increase ASLR randomness for Sv48/57 Linux 6.9+ supports 33 bits with Sv48 and Sv57. Increase the maximum and update the comment. Bug: https://github.com/google/android-riscv64/issues/1 Test: Treehugger Change-Id: Ia2731143ad30c5febe2058d35a381c01b14d8c3c
2024-05-21 19:27:39 +02:00
// riscv64 supports 24 rnd bits with Sv39, and starting with the 6.9 kernel,
// 33 bits with Sv48 and Sv57.
if (SetMmapRndBitsMin(33, 24, false)) {
Add mmap_rnd_bits routine for riscv64 Signed-off-by: Mao Han <han_mao@linux.alibaba.com> Change-Id: Ide793f4365fee67f30e35302365c4a7a5ba1f021
2022-10-12 16:25:06 +02:00
return {};
}
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
#elif defined(__x86_64__)
Enhance documentation about SetMmapRndBitsAction Bug: N/A Test: N/A Change-Id: I0408158d181ef08831a55e1381477f5b128a5c52
2022-07-18 02:17:39 +02:00
// x86_64 supports 28 - 32 rnd bits, but Android wants to ensure that the
x86_64: mmap rnd bits: Allow min bits of less than 32 With a regular x86 kernel we are always able to get 32 min bits for mmap randomization. However to emulate 16KB for x86 app developers the kernel can only provide 30 bits for the randomization due the to larger page size (PAGE_SHIFT =+ 2). Allow the min rand bits to be (32 - (PAGE_SHIFT - 12)) in order to generically support larger than 4KB page sizes. This should be a no-op change for all devices, except the x86 16KB emulator, since they will always be able to get 32 random bits. Bug: 309816695 Test: Boot test 4k x86 device Test: Boot test emulated 16k x86 device Change-Id: I48d47d56ac3aecb71a9e0093a7033bb60b89c2b7 Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2023-07-14 23:29:42 +02:00
// theoretical maximum of 32 bits is always supported and used; except in
// the case of the x86 page size emulator which supports a maximum
// of 30 bits for 16k page size, or 28 bits for 64k page size.
int max_bits = 32 - (static_cast<int>(log2(getpagesize())) - 12);
if (SetMmapRndBitsMin(max_bits, max_bits, false) &&
(!Has32BitAbi() || SetMmapRndBitsMin(16, 16, true))) {
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
return {};
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
#elif defined(__arm__) || defined(__i386__)
// check to see if we're running on 64-bit kernel
bool h64 = !access(MMAP_RND_COMPAT_PATH, F_OK);
// supported 32-bit architecture must have 16 bits set
if (SetMmapRndBitsMin(16, 16, h64)) {
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
return {};
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
#else
LOG(ERROR) << "Unknown architecture";
#endif
init: replace panic() with LOG(FATAL) Test: boot bullhead Test: Introduce LOG(FATAL) at various points of init and ensure that it reboots to the bootloader successfully Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots instead of recursing infinitely Test: Ensure that fatal signals reboot to bootloader Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
2017-08-18 02:28:30 +02:00
LOG(FATAL) << "Unable to set adequate mmap entropy value!";
init: use Result<T> for builtin functions We currently throw out the return values from builtin functions and occasionally log errors with no supporting context. This change uses the newly introduced Result<T> class to communicate a successful result or an error back to callers in order to print an error with clear context when a builtin fails. Example: init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory Test: boot bullhead Merged-In: Idc18f331d2d646629c6093c1e0f2996cf9b42aec Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
2017-08-01 22:50:23 +02:00
return Error();
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
#define KPTR_RESTRICT_PATH "/proc/sys/kernel/kptr_restrict"
#define KPTR_RESTRICT_MINVALUE 2
#define KPTR_RESTRICT_MAXVALUE 4
// Set kptr_restrict to the highest available level.
//
// Aborts if unable to set this to an acceptable value.
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
Result<void> SetKptrRestrictAction(const BuiltinArguments&) {
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
std::string path = KPTR_RESTRICT_PATH;
if (!SetHighestAvailableOptionValue(path, KPTR_RESTRICT_MINVALUE, KPTR_RESTRICT_MAXVALUE)) {
init: replace panic() with LOG(FATAL) Test: boot bullhead Test: Introduce LOG(FATAL) at various points of init and ensure that it reboots to the bootloader successfully Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots instead of recursing infinitely Test: Ensure that fatal signals reboot to bootloader Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
2017-08-18 02:28:30 +02:00
LOG(FATAL) << "Unable to set adequate kptr_restrict value!";
init: use Result<T> for builtin functions We currently throw out the return values from builtin functions and occasionally log errors with no supporting context. This change uses the newly introduced Result<T> class to communicate a successful result or an error back to callers in order to print an error with clear context when a builtin fails. Example: init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory Test: boot bullhead Merged-In: Idc18f331d2d646629c6093c1e0f2996cf9b42aec Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
2017-08-01 22:50:23 +02:00
return Error();
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
init: replace Result<Success> with Result<void> Now that Result<T> is actually expected<T, ...>, and the expected proposal states expected<void, ...> as the way to indicate an expected object that returns either successfully with no object or an error, let's move init's Result<Success> to the preferred Result<void>. Bug: 132145659 Test: boot, init unit tests Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 20:08:01 +02:00
return {};
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
}
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
// Test for whether the kernel has SELinux hooks for the perf_event_open()
// syscall. If the hooks are present, we can stop using the other permission
// mechanism (perf_event_paranoid sysctl), and use only the SELinux policy to
// control access to the syscall. The hooks are expected on all Android R
// release kernels, but might be absent on devices that upgrade while keeping an
// older kernel.
//
// There is no direct/synchronous way of finding out that a syscall failed due
// to SELinux. Therefore we test for a combination of a success and a failure
// that are explained by the platform's SELinux policy for the "init" domain:
// * cpu-scoped perf_event is allowed
// * ioctl() on the event fd is disallowed with EACCES
//
// Since init has CAP_SYS_ADMIN, these tests are not affected by the system-wide
// perf_event_paranoid sysctl.
//
// If the SELinux hooks are detected, a special sysprop
// (sys.init.perf_lsm_hooks) is set, which translates to a modification of
// perf_event_paranoid (through init.rc sysprop actions).
//
// TODO(b/137092007): this entire test can be removed once the platform stops
// supporting kernels that precede the perf_event_open hooks (Android common
// kernels 4.4 and 4.9).
Result<void> TestPerfEventSelinuxAction(const BuiltinArguments&) {
dev devices with permissive boot: disable perf_event_paranoid Some functionality based on eBPF attached to tracepoints (gpu memory accounting and time-in-state) rely on newer devices running with "disabled" perf_event_paranoid controls as a result of the kernel having LSM hooks in the perf_event_open syscall instead. This is tested for, and set up by init via the sys.init.perf_lsm_hooks sysprop. Development devices that boot into permissive mode still want the eBPF-based functionality to work, but end up with a paranoid value that disallows the syscall, as the LSM hook test expects to observe a SELinux denial (which doesn't happen due to permissiveness). As a pragmatic way of achieving the paranoid value override, we pretend that the hook test has succeeded if we detect permissive SELinux during second-stage init. It'd be nicer if we had a sysprop to reflect the device's on-boot status of SELinux, but it's not worth adding for this case. BYPASS_INCLUSIVE_LANGUAGE_REASON=technical term Bug: 170674916 Tested: booted crosshatch-userdebug with permissive kernel cmdline, confirmed that the log message from the new codepath was present in logcat, sysprop is 1, and paranoid is -1. Change-Id: I9df5da2076cdbd777d35e50e8cd7a483ec85e20a
2020-10-28 19:01:35 +01:00
// Special case: for *development devices* that boot with permissive
// SELinux, treat the LSM hooks as present for the effect of lowering the
// perf_event_paranoid sysctl. The sysprop is reused for pragmatic reasons,
// as there no existing way for init rules to check for permissive boot at
// the time of writing.
if (ALLOW_PERMISSIVE_SELINUX) {
if (!security_getenforce()) {
LOG(INFO) << "Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.";
SetProperty("sys.init.perf_lsm_hooks", "1");
return {};
}
}
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
// Use a trivial event that will be configured, but not started.
struct perf_event_attr pe = {
.type = PERF_TYPE_SOFTWARE,
.size = sizeof(struct perf_event_attr),
.config = PERF_COUNT_SW_TASK_CLOCK,
.disabled = 1,
.exclude_kernel = 1,
};
// Open the above event targeting cpu 0. (EINTR not possible.)
unique_fd fd(static_cast<int>(syscall(__NR_perf_event_open, &pe, /*pid=*/-1,
/*cpu=*/0,
/*group_fd=*/-1, /*flags=*/0)));
if (fd == -1) {
PLOG(ERROR) << "Unexpected perf_event_open error";
return {};
}
init: Enable ANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION From the unique_fd.h header file: "unique_fd's operator int is dangerous, but we have way too much code that depends on it, so make this opt-in at first." From the Google C++ style guide: "Do not define implicit conversions." See also go/cstyle#Implicit_Conversions. Hence this CL that disables unique_fd::operator int(). Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f Signed-off-by: Bart Van Assche <bvanassche@google.com>
2022-12-03 03:48:15 +01:00
int ioctl_ret = ioctl(fd.get(), PERF_EVENT_IOC_RESET);
init: add builtin check for perf_event LSM hooks Historically, the syscall was controlled by a system-wide perf_event_paranoid sysctl, which is not flexible enough to allow only specific processes to use the syscall. However, SELinux support for the syscall has been upstreamed recently[1] (and is being backported to Android R release common kernels). [1] https://github.com/torvalds/linux/commit/da97e18458fb42d7c00fac5fd1c56a3896ec666e As the presence of these hooks is not guaranteed on all Android R platforms (since we support upgrades while keeping an older kernel), we need to test for the feature dynamically. The LSM hooks themselves have no way of being detected directly, so we instead test for their effects, so we perform several syscalls, and look for a specific success/failure combination, corresponding to the platform's SELinux policy. If hooks are detected, perf_event_paranoid is set to -1 (unrestricted), as the SELinux policy is then sufficient to control access. This is done within init for several reasons: * CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done if non-root users aren't allowed to use the syscall (the default). * init is already the setter of the paranoid value (see init.rc), which is also a privileged operation. * the test itself is simple (couple of syscalls), so having a dedicated test binary/domain felt excessive. I decided to go through a new sysprop (set by a builtin test in second-stage init), and keeping the actuation in init.rc. We can change it to an immediate write to the paranoid value if a use-case comes up that requires the decision to be made earlier in the init sequence. Bug: 137092007 Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-14 23:02:53 +01:00
if (ioctl_ret != -1) {
// Success implies that the kernel doesn't have the hooks.
return {};
} else if (errno != EACCES) {
PLOG(ERROR) << "Unexpected perf_event ioctl error";
return {};
}
// Conclude that the SELinux hooks are present.
SetProperty("sys.init.perf_lsm_hooks", "1");
return {};
}
init: split security functions out of init.cpp This change splits out the selinux initialization and supporting functionality into selinux.cpp and splits the security related initialization of the rng, etc to security.cpp. It also provides additional documentation for SEPolicy loading as this has been requested by some teams. It additionally cleans up sehandle and sehandle_prop. The former is static within selinux.cpp and new wrapper functions are created around selabel_lookup*() to better serve the users. The latter is moved to property_service.cpp as it is isolated to that file for its usage. Test: boot bullhead Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60 Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-10 21:22:44 +02:00
} // namespace init
} // namespace android
Reference in a new issue Copy permalink