Add SELinux Policy For io_uring

Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.

In more detail, this change:

* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.

* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].

* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.

This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.

[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/

Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)

Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f

private/access_vectors

@@ -789,3 +789,10 @@ class lockdown
 	integrity
 	confidentiality
 }
+
+class io_uring
+{
+	override_creds
+	sqpoll
+	cmd
+}

private/app_neverallows.te

@@ -266,7 +266,6 @@ neverallow {
   -mediaprovider_app
 } { userdebug_or_eng_prop }:file read;
 
-
 # Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
 # used to communicate to the mdnsd responder. The mdnsd responder will be
 # replaced by a java implementation which is integrated into the system server.
@@ -288,3 +287,9 @@ neverallow {
   -untrusted_app_30
   -untrusted_app_32
 } mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;

private/fastbootd.te

@@ -50,7 +50,7 @@ recovery_only(`
   hal_client_domain(fastbootd, hal_fastboot)
 ')
 
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
 allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)

private/security_classes

@@ -142,6 +142,8 @@ class xdp_socket
 
 class perf_event
 
+class io_uring
+
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown
 

private/snapuserd.te

@@ -8,8 +8,6 @@ init_daemon_domain(snapuserd)
 
 allow snapuserd kmsg_device:chr_file rw_file_perms;
 
-allow snapuserd self:capability ipc_lock;
-
 # Allow snapuserd to reach block devices in /dev/block.
 allow snapuserd block_device:dir search;
 
@@ -54,9 +52,12 @@ neverallow {
   -init
 } snapuserd_prop:property_service set;
 
-allow snapuserd self:anon_inode create_file_perms;
-
 # Allow to read/write/create OTA metadata files
 allow snapuserd metadata_file:dir search;
 allow snapuserd ota_metadata_file:dir rw_dir_perms;
 allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)

public/te_macros

@@ -176,8 +176,6 @@ allow $1 $1_userfaultfd:anon_inode { create ioctl read };
 dontaudit su $1_userfaultfd:anon_inode *;
 # Other domains may not use userfaultfd anon_inodes created by this domain.
 neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
 ')
 
 ####################################
@@ -1043,3 +1041,21 @@ define(`use_apex_info', `
   allow $1 apex_mnt_dir:dir r_dir_perms;
   allow $1 apex_info_file:file r_file_perms;
 ')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')