Merge "Add SELinux Policy For io_uring" am: fab49d0a64
am: bc0f54877a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2302679 Change-Id: I21fd2c66080a7ee46c85090e818ed69dbc7af699 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
27b502dfb9
6 changed files with 41 additions and 10 deletions
|
@ -789,3 +789,10 @@ class lockdown
|
|||
integrity
|
||||
confidentiality
|
||||
}
|
||||
|
||||
class io_uring
|
||||
{
|
||||
override_creds
|
||||
sqpoll
|
||||
cmd
|
||||
}
|
||||
|
|
|
@ -266,7 +266,6 @@ neverallow {
|
|||
-mediaprovider_app
|
||||
} { userdebug_or_eng_prop }:file read;
|
||||
|
||||
|
||||
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
|
||||
# used to communicate to the mdnsd responder. The mdnsd responder will be
|
||||
# replaced by a java implementation which is integrated into the system server.
|
||||
|
@ -288,3 +287,9 @@ neverallow {
|
|||
-untrusted_app_30
|
||||
-untrusted_app_32
|
||||
} mdnsd:unix_stream_socket connectto;
|
||||
|
||||
# Do not allow untrusted apps to use anonymous inodes. At the moment,
|
||||
# type transitions are the only way to distinguish between different
|
||||
# anon_inode usages like userfaultfd and io_uring. This prevents us from
|
||||
# creating a more fine-grained neverallow policy for each anon_inode usage.
|
||||
neverallow all_untrusted_apps domain:anon_inode *;
|
||||
|
|
|
@ -50,7 +50,7 @@ recovery_only(`
|
|||
hal_client_domain(fastbootd, hal_fastboot)
|
||||
')
|
||||
|
||||
# io_uring_setup needs ipc_lock and permission to operate anon inodes
|
||||
# This capability allows fastbootd to circumvent memlock rlimits while using
|
||||
# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
|
||||
allow fastbootd self:capability ipc_lock;
|
||||
|
||||
allow fastbootd self:anon_inode create_file_perms;
|
||||
io_uring_use(fastbootd)
|
||||
|
|
|
@ -142,6 +142,8 @@ class xdp_socket
|
|||
|
||||
class perf_event
|
||||
|
||||
class io_uring
|
||||
|
||||
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
|
||||
class lockdown
|
||||
|
||||
|
|
|
@ -8,8 +8,6 @@ init_daemon_domain(snapuserd)
|
|||
|
||||
allow snapuserd kmsg_device:chr_file rw_file_perms;
|
||||
|
||||
allow snapuserd self:capability ipc_lock;
|
||||
|
||||
# Allow snapuserd to reach block devices in /dev/block.
|
||||
allow snapuserd block_device:dir search;
|
||||
|
||||
|
@ -54,9 +52,12 @@ neverallow {
|
|||
-init
|
||||
} snapuserd_prop:property_service set;
|
||||
|
||||
allow snapuserd self:anon_inode create_file_perms;
|
||||
|
||||
# Allow to read/write/create OTA metadata files
|
||||
allow snapuserd metadata_file:dir search;
|
||||
allow snapuserd ota_metadata_file:dir rw_dir_perms;
|
||||
allow snapuserd ota_metadata_file:file create_file_perms;
|
||||
|
||||
# This capability allows snapuserd to circumvent memlock rlimits while using
|
||||
# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
|
||||
allow snapuserd self:capability ipc_lock;
|
||||
io_uring_use(snapuserd)
|
||||
|
|
|
@ -176,8 +176,6 @@ allow $1 $1_userfaultfd:anon_inode { create ioctl read };
|
|||
dontaudit su $1_userfaultfd:anon_inode *;
|
||||
# Other domains may not use userfaultfd anon_inodes created by this domain.
|
||||
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
|
||||
# This domain may not use userfaultfd anon_inodes created by other domains.
|
||||
neverallow $1 ~$1_userfaultfd:anon_inode *;
|
||||
')
|
||||
|
||||
####################################
|
||||
|
@ -1043,3 +1041,21 @@ define(`use_apex_info', `
|
|||
allow $1 apex_mnt_dir:dir r_dir_perms;
|
||||
allow $1 apex_info_file:file r_file_perms;
|
||||
')
|
||||
|
||||
####################################
|
||||
# io_uring_use(domain)
|
||||
# Allow domain to create/use io_uring.
|
||||
define(`io_uring_use', `
|
||||
# Set up a type_transition to "io_uring" named anonymous inode object.
|
||||
type $1_iouring;
|
||||
type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
|
||||
# Allow domain to create/use io_uring anon_inode.
|
||||
allow $1 $1_iouring:anon_inode { create map read write };
|
||||
allow $1 self:io_uring sqpoll;
|
||||
# Other domains may not use iouring anon_inodes created by this domain.
|
||||
neverallow { domain -$1 } $1_iouring:anon_inode *;
|
||||
# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
|
||||
# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
|
||||
# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
|
||||
dontaudit $1 self:global_capability_class_set ipc_lock;
|
||||
')
|
||||
|
|
Loading…
Reference in a new issue