Revert "Revert "Add neverallows for debugfs access""

This reverts commit e95e0ec0a5. Now that b/186727553 is fixed, it should be safe to revert this revert. Test: build Bug: 184381659 Change-Id: Ibea3882296db880f5cafe4f9efa36d79a183c8a1
2021-05-04 22:01:51 -07:00 · 2021-05-04 22:01:51 -07:00 · 23f9f51fcd
commit 23f9f51fcd
parent 6c03124c3c
11 changed files with 62 additions and 23 deletions
--- a/private/coredomain.te
+++ b/private/coredomain.te
@ -153,9 +153,11 @@ full_treble_only(`
  # debugfs
  neverallow {
    coredomain
-    -dumpstate
-    -init
-    -system_server
+    no_debugfs_restriction(`
+      -dumpstate
+      -init
+      -system_server
+    ')
  } debugfs:file no_rw_file_perms;

  # tracefs
--- a/private/domain.te
+++ b/private/domain.te
@ -521,3 +521,18 @@ neverallow {
  -traced_probes
  -traced_perf
 } proc_kallsyms:file { open read };
+
+# debugfs_kcov type is not included in this neverallow statement since the KCOV
+# tool uses it for kernel fuzzing.
+enforce_debugfs_restriction(`
+  neverallow {
+    domain
+    userdebug_or_eng(`
+      -init
+      -hal_dumpstate
+    ')
+  } { debugfs_type
+      userdebug_or_eng(`-debugfs_kcov')
+      -tracefs_type
+  }:file no_rw_file_perms;
+')
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@ -54,7 +54,10 @@ allow dumpstate {
 }:process signal;

 # For collecting bugreports.
-allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+')
+
 allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
--- a/private/incidentd.te
+++ b/private/incidentd.te
@ -29,7 +29,9 @@ unix_socket_send(incidentd, statsdw, statsd)
 allow incidentd proc_pagetypeinfo:file r_file_perms;

 # section id 2002, allow reading /d/wakeup_sources
-allow incidentd debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow incidentd debugfs_wakeup_sources:file r_file_perms;
+')

 # section id 2003, allow executing top
 allow incidentd proc_meminfo:file { open read };
--- a/private/storaged.te
+++ b/private/storaged.te
@ -18,10 +18,12 @@ allow storaged packages_list_file:file r_file_perms;
 allow storaged storaged_data_file:dir rw_dir_perms;
 allow storaged storaged_data_file:file create_file_perms;

-userdebug_or_eng(`
-  # Read access to debugfs
-  allow storaged debugfs_mmc:dir search;
-  allow storaged debugfs_mmc:file r_file_perms;
+no_debugfs_restriction(`
+  userdebug_or_eng(`
+    # Read access to debugfs
+    allow storaged debugfs_mmc:dir search;
+    allow storaged debugfs_mmc:file r_file_perms;
+  ')
 ')

 # Needed to provide debug dump output via dumpsys pipes.
--- a/private/system_server.te
+++ b/private/system_server.te
@ -184,7 +184,9 @@ allow system_server stats_data_file:dir { open read remove_name search write };
 allow system_server stats_data_file:file unlink;

 # Read /sys/kernel/debug/wakeup_sources.
-allow system_server debugfs_wakeup_sources:file r_file_perms;
+no_debugfs_restriction(`
+  allow system_server debugfs_wakeup_sources:file r_file_perms;
+')

 # Read /sys/kernel/ion/*.
 allow system_server sysfs_ion:file r_file_perms;
--- a/public/attributes
+++ b/public/attributes
@ -62,6 +62,9 @@ attribute sysfs_type;
 # All types use for debugfs files.
 attribute debugfs_type;

+# All types used for tracefs files.
+attribute tracefs_type;
+
 # Attribute used for all sdcards
 attribute sdcard_type;

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -113,10 +113,12 @@ allow dumpstate {
 }:file r_file_perms;

 # Other random bits of data we want to collect
-allow dumpstate debugfs:file r_file_perms;
-auditallow dumpstate debugfs:file r_file_perms;
+no_debugfs_restriction(`
+  allow dumpstate debugfs:file r_file_perms;
+  auditallow dumpstate debugfs:file r_file_perms;

-allow dumpstate debugfs_mmc:file r_file_perms;
+  allow dumpstate debugfs_mmc:file r_file_perms;
+')

 # df for
 allow dumpstate {
--- a/public/file.te
+++ b/public/file.te
@ -144,14 +144,14 @@ type exfat, sdcard_type, fs_type, mlstrustedobject;
 type debugfs, fs_type, debugfs_type;
 type debugfs_kprobes, fs_type, debugfs_type;
 type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing_instances, fs_type, debugfs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type;
+type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
+type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
 type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
 type securityfs, fs_type;

 type pstorefs, fs_type;
@ -562,7 +562,7 @@ type hwservice_contexts_file, system_file_type, file_type;
 type vndservice_contexts_file, file_type;

 # /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type;
+type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;

 # kernel modules
 type vendor_kernel_modules, vendor_file_type, file_type;
--- a/public/init.te
+++ b/public/init.te
@ -240,8 +240,11 @@ allow init {
  -system_file_type
  -vendor_file_type
  -vold_data_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };

+allow init tracefs_type:file { create_file_perms relabelfrom };
+
 allow init {
  file_type
  -app_data_file
@ -290,8 +293,8 @@ allow init {
  -privapp_data_file
 }:dir_file_class_set relabelto;

-allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
 allow init dev_type:dir create_dir_perms;
 allow init dev_type:lnk_file create;

@ -312,6 +315,7 @@ allow init {
  -sdcard_type
  -sysfs_type
  -rootfs
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
 allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };

--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -79,6 +79,7 @@ allow vendor_init {
  -apex_metadata_file
  -apex_info_file
  -userspace_reboot_metadata_file
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { create getattr open read write setattr relabelfrom unlink map };

 allow vendor_init {
@ -143,8 +144,11 @@ allow vendor_init {
  -proc_uid_time_in_state
  -proc_uid_concurrent_active_time
  -proc_uid_concurrent_policy_time
+  enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr map };

+allow vendor_init tracefs_type:file { open read setattr map };
+
 allow vendor_init {
  fs_type
  -contextmount_type