Merge changes I9b32916e,I7c4771de into main am: e138fe460b

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3088167 Change-Id: I86722870f9d7c216f633fe36cc01049fb3a4efcb Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2024-05-21 10:45:14 +00:00 · 2024-05-21 10:45:14 +00:00 · 30591033a7
commit 30591033a7
parent 14898c5d0c e138fe460b
6 changed files with 36 additions and 954 deletions
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@ -1,777 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
-	ioctl
-	read
-	write
-	create
-	getattr
-	setattr
-	lock
-	relabelfrom
-	relabelto
-	append
-	map
-	unlink
-	link
-	rename
-	execute
-	quotaon
-	mounton
-	audit_access
-	open
-	execmod
-	watch
-	watch_mount
-	watch_sb
-	watch_with_perm
-	watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
-	ioctl
-	read
-	write
-	create
-	getattr
-	setattr
-	lock
-	relabelfrom
-	relabelto
-	append
-	map
-# socket-specific
-	bind
-	connect
-	listen
-	accept
-	getopt
-	setopt
-	shutdown
-	recvfrom
-	sendto
-	name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
-	create
-	destroy
-	getattr
-	setattr
-	read
-	write
-	associate
-	unix_read
-	unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
-	# The capabilities are defined in include/linux/capability.h
-	# Capabilities >= 32 are defined in the cap2 common.
-	# Care should be taken to ensure that these are consistent with
-	# those definitions. (Order matters)
-
-	chown
-	dac_override
-	dac_read_search
-	fowner
-	fsetid
-	kill
-	setgid
-	setuid
-	setpcap
-	linux_immutable
-	net_bind_service
-	net_broadcast
-	net_admin
-	net_raw
-	ipc_lock
-	ipc_owner
-	sys_module
-	sys_rawio
-	sys_chroot
-	sys_ptrace
-	sys_pacct
-	sys_admin
-	sys_boot
-	sys_nice
-	sys_resource
-	sys_time
-	sys_tty_config
-	mknod
-	lease
-	audit_write
-	audit_control
-	setfcap
-}
-
-common cap2
-{
-	mac_override	# unused by SELinux
-	mac_admin
-	syslog
-	wake_alarm
-	block_suspend
-	audit_read
-	perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
-	mount
-	remount
-	unmount
-	getattr
-	relabelfrom
-	relabelto
-	associate
-	quotamod
-	quotaget
-	watch
-}
-
-class dir
-inherits file
-{
-	add_name
-	remove_name
-	reparent
-	search
-	rmdir
-}
-
-class file
-inherits file
-{
-	execute_no_trans
-	entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
-	execute_no_trans
-	entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
-	use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
-	node_bind
-	name_connect
-}
-
-class udp_socket
-inherits socket
-{
-	node_bind
-}
-
-class rawip_socket
-inherits socket
-{
-	node_bind
-}
-
-class node
-{
-	recvfrom
-	sendto
-}
-
-class netif
-{
-	ingress
-	egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
-	connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
-	fork
-	transition
-	sigchld # commonly granted from child to parent
-	sigkill # cannot be caught or ignored
-	sigstop # cannot be caught or ignored
-	signull # for kill(pid, 0)
-	signal  # all other signals
-	ptrace
-	getsched
-	setsched
-	getsession
-	getpgid
-	setpgid
-	getcap
-	setcap
-	share
-	getattr
-	setexec
-	setfscreate
-	noatsecure
-	siginh
-	setrlimit
-	rlimitinh
-	dyntransition
-	setcurrent
-	execmem
-	execstack
-	execheap
-	setkeycreate
-	setsockcreate
-	getrlimit
-}
-
-class process2
-{
-	nnp_transition
-	nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
-	enqueue
-}
-
-class msg
-{
-	send
-	receive
-}
-
-class shm
-inherits ipc
-{
-	lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
-	compute_av
-	compute_create
-	compute_member
-	check_context
-	load_policy
-	compute_relabel
-	compute_user
-	setenforce     # was avc_toggle in system class
-	setbool
-	setsecparam
-	setcheckreqprot
-	read_policy
-	validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
-	ipc_info
-	syslog_read
-	syslog_mod
-	syslog_console
-	module_request
-	module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-	nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
-	nlmsg_read
-	nlmsg_write
-	nlmsg_relay
-	nlmsg_readpriv
-	nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
-	sendto
-	recvfrom
-	setcontext
-	polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
-	send
-	recv
-	relabelto
-	forward_in
-	forward_out
-}
-
-class key
-{
-	view
-	read
-	write
-	search
-	link
-	setattr
-	create
-}
-
-class dccp_socket
-inherits socket
-{
-	node_bind
-	name_connect
-}
-
-class memprotect
-{
-	mmap_zero
-}
-
-# network peer labels
-class peer
-{
-	recv
-}
-
-class kernel_service
-{
-	use_as_override
-	create_files_as
-}
-
-class tun_socket
-inherits socket
-{
-	attach_queue
-}
-
-class binder
-{
-	impersonate
-	call
-	set_context_mgr
-	transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
-	access
-}
-
-class infiniband_endport
-{
-	manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
-	node_bind
-	name_connect
-	association
-}
-
-class icmp_socket
-inherits socket
-{
-	node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
-	map_create
-	map_read
-	map_write
-	prog_load
-	prog_run
-}
-
-class property_service
-{
-	set
-}
-
-class service_manager
-{
-	add
-	find
-	list
-}
-
-class hwservice_manager
-{
-	add
-	find
-	list
-}
-
-class keystore_key
-{
-	get_state
-	get
-	insert
-	delete
-	exist
-	list
-	reset
-	password
-	lock
-	unlock
-	is_empty
-	sign
-	verify
-	grant
-	duplicate
-	clear_uid
-	add_auth
-	user_changed
-	gen_unique_id
-}
-
-class keystore2
-{
-	add_auth
-	change_password
-	change_user
-	clear_ns
-	clear_uid
-	early_boot_ended
-	get_auth_token
-	get_state
-	list
-	lock
-	report_off_body
-	reset
-	unlock
-}
-
-class keystore2_key
-{
-	convert_storage_key_to_ephemeral
-	delete
-	gen_unique_id
-	get_info
-	grant
-	manage_blob
-	rebind
-	req_forced_op
-	update
-	use
-	use_dev_id
-}
-
-class drmservice {
-	consumeRights
-	setPlaybackStatus
-	openDecryptSession
-	closeDecryptSession
-	initializeDecryptUnit
-	decrypt
-	finalizeDecryptUnit
-	pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
-	open
-	cpu
-	kernel
-	tracepoint
-	read
-	write
-}
-
-class lockdown
-{
-	integrity
-	confidentiality
-}
--- a/microdroid/reqd_mask/access_vectors
+++ b/microdroid/reqd_mask/access_vectors
@ -0,0 +1 @@
+../system/private/access_vectors
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service          # userspace
-
-# Service manager
-class service_manager           # userspace
-
-# hardware service manager      # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key              # userspace
-
-# Keystore 2.0 permissions
-class keystore2                 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key             # userspace
-
-class drmservice                # userspace
-# FLASK
--- a/microdroid/reqd_mask/security_classes
+++ b/microdroid/reqd_mask/security_classes
@ -0,0 +1 @@
+../system/private/security_classes
--- a/microdroid/system/private/access_vectors
+++ b/microdroid/system/private/access_vectors
@ -139,6 +139,8 @@ common cap2
 	block_suspend
 	audit_read
 	perfmon
+	checkpoint_restore
+	bpf
 }

 #
@ -664,6 +666,12 @@ inherits socket
 class smc_socket
 inherits socket

+class xdp_socket
+inherits socket
+
+class mctp_socket
+inherits socket
+
 class bpf
 {
 	map_create
@ -703,9 +711,6 @@ class drmservice {
 	pread
 }

-class xdp_socket
-inherits socket
-
 class perf_event
 {
 	open
@ -728,3 +733,8 @@ class io_uring
 	sqpoll
 	cmd
 }
+
+class user_namespace
+{
+	create
+}
--- a/microdroid/system/private/security_classes
+++ b/microdroid/system/private/security_classes
@ -133,13 +133,13 @@ class vsock_socket
 class kcm_socket
 class qipcrtr_socket
 class smc_socket
+class xdp_socket
+class mctp_socket

 class process2

 class bpf

-class xdp_socket
-
 class perf_event

 class io_uring
@ -147,6 +147,8 @@ class io_uring
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown

+class user_namespace
+
 # Property service
 class property_service          # userspace

--- a/private/access_vectors
+++ b/private/access_vectors
@ -139,6 +139,8 @@ common cap2
 	block_suspend
 	audit_read
 	perfmon
+	checkpoint_restore
+	bpf
 }

 #
@ -664,6 +666,12 @@ inherits socket
 class smc_socket
 inherits socket

+class xdp_socket
+inherits socket
+
+class mctp_socket
+inherits socket
+
 class bpf
 {
 	map_create
@ -772,9 +780,6 @@ class drmservice {
 	pread
 }

-class xdp_socket
-inherits socket
-
 class perf_event
 {
 	open
@ -797,3 +802,8 @@ class io_uring
 	sqpoll
 	cmd
 }
+
+class user_namespace
+{
+	create
+}
--- a/private/security_classes
+++ b/private/security_classes
@ -133,13 +133,13 @@ class vsock_socket
 class kcm_socket
 class qipcrtr_socket
 class smc_socket
+class xdp_socket
+class mctp_socket

 class process2

 class bpf

-class xdp_socket
-
 class perf_event

 class io_uring
@ -147,6 +147,8 @@ class io_uring
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown

+class user_namespace
+
 # Property service
 class property_service          # userspace