platform_system_sepolicy/private/snapuserd.te

71 lines
2.6 KiB
Text
Raw Normal View History

# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
type snapuserd, domain;
type snapuserd_exec, exec_type, file_type, system_file_type;
typeattribute snapuserd coredomain;
init_daemon_domain(snapuserd)
allow snapuserd kmsg_device:chr_file rw_file_perms;
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
allow snapuserd sysfs:dir { open read };
# Read /sys/block/dm-X/dm/name (which is a symlink to
# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
# dm-X and dynamic partitions.
allow snapuserd sysfs_dm:dir { open read search };
allow snapuserd sysfs_dm:file r_file_perms;
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
allow snapuserd block_device:dir r_dir_perms;
allow snapuserd dm_device:chr_file rw_file_perms;
allow snapuserd dm_device:blk_file rw_file_perms;
# Reading and writing to dm-user control nodes.
allow snapuserd dm_user_device:dir r_dir_perms;
allow snapuserd dm_user_device:chr_file rw_file_perms;
# Reading and writing to /dev/socket/snapuserd and snapuserd_proxy.
allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
allow snapuserd snapuserd_proxy_socket:sock_file write;
# This arises due to first-stage init opening /dev/null without F_CLOEXEC
# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
# again, the descriptor leaks into the new process.
allow snapuserd kernel:fd use;
# snapuserd.* properties
set_prop(snapuserd, snapuserd_prop)
get_prop(snapuserd, virtual_ab_prop)
# For inotify watching for /dev/socket/snapuserd_proxy to appear.
allow snapuserd tmpfs:dir { read watch };
# Forbid anything other than snapuserd and init setting snapuserd properties.
neverallow {
domain
-snapuserd
-init
} snapuserd_prop:property_service set;
# Allow to read/write/create OTA metadata files
allow snapuserd metadata_file:dir search;
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
2022-11-14 23:06:36 +01:00
# write to /data/misc/snapuserd_log
allow snapuserd snapuserd_log_data_file:dir create_dir_perms;
allow snapuserd snapuserd_log_data_file:file create_file_perms;
# Read /proc/stat to determine boot time
allow snapuserd proc_stat:file r_file_perms;
Add SELinux Policy For io_uring Brings in the io_uring class and associated restrictions and adds a new macro, `io_uring_use`, to sepolicy. In more detail, this change: * Adds a new macro expands to ensure the domain it is passed can undergo a type transition to a new type, `<domain>_iouring`, when the anon_inode being accessed is labeled `[io_uring]`. It also allows the domain to create, read, write, and map the io_uring anon_inode. * Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag during `io_uring_setup` so that a syscall to `io_uring_enter` is not required by the caller each time it wishes to submit IO. This can be enabled securely as long as we don't enable sharing of io_uring file descriptors across domains. The kernel polling thread created by `SQPOLL` will inherit the credentials of the thread that created the io_uring [1]. * Removes the selinux policy that restricted all domains that make use of the `userfault_fd` macro from any `anon_inode` created by another domain. This is overly restrictive, as it prohibits the use of two different `anon_inode` use cases in a single domain e.g. userfaultfd and io_uring. This change also replaces existing sepolicy in fastbootd and snapuserd that enabled the use of io_uring. [1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/ Bug: 253385258 Test: m selinux_policy Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423 Test: Manually deliver OTAs (built with m dist) to a recent Pixel device and ensure snapuserd functions correctly (no io_uring failures) Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
2022-11-14 23:06:36 +01:00
# This capability allows snapuserd to circumvent memlock rlimits while using
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
allow snapuserd self:capability ipc_lock;
io_uring_use(snapuserd)