platform_system_sepolicy/private/boringssl_self_test.te

# System and vendor domains for BoringSSL self test binaries.
#
# For FIPS compliance, all processes linked against libcrypto perform a startup
# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
#
# The KATs are expensive, and to ensure they are run as few times as possible, they
# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
# the hash of the BCM that was computed earlier.  The files are zero length and their contents
# should never be read or written.  To avoid giving arbitrary processes access to /dev/boringssl
# to create these marker files, there are dedicated self test binaries which this policy
# gives access to and which are run during early-init.
#
# Due to build skew, the version of libcrypto in /vendor may have a different hash than
# the system one.  To cater for this there are vendor variants of the self test binaries
# which also have permission to write to the same files in /dev/boringssl.  In the case where
# vendor and system libcrypto have the same hash, there will be a race to create the file,
# but this is harmless.
#
# If the self tests fail, then the device should reboot into firmware and for this reason
# the system boringssl_self_test domain needs to be in coredomain.  As vendor domains
# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
# reboot.  However every binary linked against the vendor libcrypto will abort on startup,
# so in practice the device will crash anyway in this unlikely scenario.

# System boringssl_self_test domain
type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;

# Vendor boringssl_self_test domain
type vendor_boringssl_self_test, domain;
type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;

# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
init_daemon_domain(boringssl_self_test)

# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
init_daemon_domain(vendor_boringssl_self_test)

# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
#
# The files are zero length so there is no issue if both vendor and system code
# try to create the same file simultaneously. One will succeed and the other will fail
# silently, i.e. still indicate success.  Similar harmless naming collisions will happen in the
# system domain e.g. when system and APEX copies of libcrypto are identical.
type boringssl_self_test_marker, file_type;

# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
allow { boringssl_self_test vendor_boringssl_self_test }
  boringssl_self_test_marker:file create_file_perms;
allow { boringssl_self_test vendor_boringssl_self_test }
  boringssl_self_test_marker:dir ra_dir_perms;

# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
allow { boringssl_self_test vendor_boringssl_self_test }
  kmsg_debug_device:chr_file { w_file_perms getattr ioctl };

# No other process should be able to create marker files because their existence causes the
# boringssl KAT to be skipped.
neverallow {
  domain
  -vendor_boringssl_self_test
  -boringssl_self_test
  -init
  -vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;

neverallow {
  domain
  -vendor_boringssl_self_test
  -boringssl_self_test
  -init
  -vendor_init
} boringssl_self_test_marker:dir write;
SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`# System and vendor domains for BoringSSL self test binaries.`
			`#`
			`# For FIPS compliance, all processes linked against libcrypto perform a startup`
			`# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once`
			`# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.`
			`#`
			`# The KATs are expensive, and to ensure they are run as few times as possible, they`
			`# are skipped if a marker file exists in /dev/boringssl/selftest whose name is`
			`# the hash of the BCM that was computed earlier. The files are zero length and their contents`
			`# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl`
			`# to create these marker files, there are dedicated self test binaries which this policy`
			`# gives access to and which are run during early-init.`
			`#`
			`# Due to build skew, the version of libcrypto in /vendor may have a different hash than`
			`# the system one. To cater for this there are vendor variants of the self test binaries`
			`# which also have permission to write to the same files in /dev/boringssl. In the case where`
			`# vendor and system libcrypto have the same hash, there will be a race to create the file,`
			`# but this is harmless.`
			`#`
			`# If the self tests fail, then the device should reboot into firmware and for this reason`
			`# the system boringssl_self_test domain needs to be in coredomain. As vendor domains`
			`# are not allowed in coredomain, this means that the vendor self tests cannot trigger a`
			`# reboot. However every binary linked against the vendor libcrypto will abort on startup,`
			`# so in practice the device will crash anyway in this unlikely scenario.`

			`# System boringssl_self_test domain`
Tweak boringssl_self_test.te Include coredomain in initial definition of boringssl_self_test rather than adding it later. This addresses an outstanding review comment from http://r.android.com/1110523 Test: Treehugger Bug: 137267623 Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60 2019-09-08 01:52:15 +02:00			`type boringssl_self_test, domain, coredomain;`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 23:08:50 +02:00			`type boringssl_self_test_exec, system_file_type, exec_type, file_type;`

SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`# Vendor boringssl_self_test domain`
			`type vendor_boringssl_self_test, domain;`
			`type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;`

			`# Switch to boringssl_self_test security domain when running boringssl_self_test_exec`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 23:08:50 +02:00			`init_daemon_domain(boringssl_self_test)`

SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec`
			`init_daemon_domain(vendor_boringssl_self_test)`

			`# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto`
			`#`
			`# The files are zero length so there is no issue if both vendor and system code`
			`# try to create the same file simultaneously. One will succeed and the other will fail`
			`# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the`
			`# system domain e.g. when system and APEX copies of libcrypto are identical.`
			`type boringssl_self_test_marker, file_type;`

			`# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files`
			`allow { boringssl_self_test vendor_boringssl_self_test }`
			`boringssl_self_test_marker:file create_file_perms;`
			`allow { boringssl_self_test vendor_boringssl_self_test }`
			`boringssl_self_test_marker:dir ra_dir_perms;`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 23:08:50 +02:00
SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`# Allow self test binaries to write their stdout/stderr messages to kmsg_debug`
			`allow { boringssl_self_test vendor_boringssl_self_test }`
			`kmsg_debug_device:chr_file { w_file_perms getattr ioctl };`
Redirect boringssl_self_test stdio to kmsg To aid in debugging if there are failures. Bug: 137267623 Test: add prints to boringssl_self_test and see them Change-Id: I34b20225514898911b3f476d4517430433eb379e 2019-09-24 01:22:58 +02:00
SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`# No other process should be able to create marker files because their existence causes the`
			`# boringssl KAT to be skipped.`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 23:08:50 +02:00			`neverallow {`
			`domain`
SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`-vendor_boringssl_self_test`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 23:08:50 +02:00			`-boringssl_self_test`
			`-init`
			`-vendor_init`
			`} boringssl_self_test_marker:file no_rw_file_perms;`
SEPolicy: dontaudit attempts to create marker files. Binaries other than boringssl_self_test_exec are not allowed to create marker files /dev/boringssl/selftest/[hash]. Right now, some processes still attempt to because: - Some binaries run so early during early-init that boringssl_self_test{32,64} hasn't had a chance to run yet, so the marker file doesn't exist yet, so the unprivileged process attempts to create it. - Some binaries statically link libcrypto so their [hash] is different from that used by boringssl_self_test{32,64}. There's some ongoing work to stop those binaries even attempting to create the marker files but it's not a big deal if they do. Similarly, there is ongoing work to minimize or eliminate static linking of this library. For now, this CL turns off audit logs for this behavior since it is harmless (a cosmetic issue) and in order to not hold up the bulk of the logic being submitted. Bug: 137267623 Test: Treehugger Change-Id: I3de664c5959efd130f761764fe63515795ea9b98 2019-09-11 20:11:46 +02:00
			`neverallow {`
			`domain`
SEPolicy changes to allow vendor BoringSSL self test. Introduces new domain vendor_boringssl_self_test and runs /vendor/bin/boringssl_self_test(32\|64) in it. New domain required because boringssl_self_test needs to be in coredomain in order to reboot the device, but vendor code may not run in coredomain. Bug: 141150335 Test: flashall && manually verify no selinux errors logged and that four flag files are created in /dev/boringssl, two by the system self tests and two by the vendor. Change-Id: I46e2a5ea338eddacdfd089f696295dbd16795c5a 2019-09-30 19:00:55 +02:00			`-vendor_boringssl_self_test`
SEPolicy: dontaudit attempts to create marker files. Binaries other than boringssl_self_test_exec are not allowed to create marker files /dev/boringssl/selftest/[hash]. Right now, some processes still attempt to because: - Some binaries run so early during early-init that boringssl_self_test{32,64} hasn't had a chance to run yet, so the marker file doesn't exist yet, so the unprivileged process attempts to create it. - Some binaries statically link libcrypto so their [hash] is different from that used by boringssl_self_test{32,64}. There's some ongoing work to stop those binaries even attempting to create the marker files but it's not a big deal if they do. Similarly, there is ongoing work to minimize or eliminate static linking of this library. For now, this CL turns off audit logs for this behavior since it is harmless (a cosmetic issue) and in order to not hold up the bulk of the logic being submitted. Bug: 137267623 Test: Treehugger Change-Id: I3de664c5959efd130f761764fe63515795ea9b98 2019-09-11 20:11:46 +02:00			`-boringssl_self_test`
			`-init`
			`-vendor_init`
			`} boringssl_self_test_marker:dir write;`