From 4b79c66714e216a1d918127d8ff6be3a44ba6ba6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 15 May 2024 13:41:55 +1000 Subject: [PATCH 1/2] Symlink microdroid access_vectors and security_classes Symlink the access vectors and classes definitions of microdroid reqd_mask to microdroid platform. These definitions are not yet linked to the generic platform policy. Bug: 340491179 Bug: 215093641 Test: build & TH Change-Id: I7c4771dedfd2f35a7dda7d78bf863cbc0c288e67 --- microdroid/reqd_mask/access_vectors | 778 +------------------------- microdroid/reqd_mask/security_classes | 168 +----- 2 files changed, 2 insertions(+), 944 deletions(-) mode change 100644 => 120000 microdroid/reqd_mask/access_vectors mode change 100644 => 120000 microdroid/reqd_mask/security_classes diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors deleted file mode 100644 index 22f2ffa1d..000000000 --- a/microdroid/reqd_mask/access_vectors +++ /dev/null @@ -1,777 +0,0 @@ -# -# Define common prefixes for access vectors -# -# common common_name { permission_name ... } - - -# -# Define a common prefix for file access vectors. -# - -common file -{ - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - map - unlink - link - rename - execute - quotaon - mounton - audit_access - open - execmod - watch - watch_mount - watch_sb - watch_with_perm - watch_reads -} - - -# -# Define a common prefix for socket access vectors. -# - -common socket -{ -# inherited from file - ioctl - read - write - create - getattr - setattr - lock - relabelfrom - relabelto - append - map -# socket-specific - bind - connect - listen - accept - getopt - setopt - shutdown - recvfrom - sendto - name_bind -} - -# -# Define a common prefix for ipc access vectors. -# - -common ipc -{ - create - destroy - getattr - setattr - read - write - associate - unix_read - unix_write -} - -# -# Define a common for capability access vectors. -# -common cap -{ - # The capabilities are defined in include/linux/capability.h - # Capabilities >= 32 are defined in the cap2 common. - # Care should be taken to ensure that these are consistent with - # those definitions. (Order matters) - - chown - dac_override - dac_read_search - fowner - fsetid - kill - setgid - setuid - setpcap - linux_immutable - net_bind_service - net_broadcast - net_admin - net_raw - ipc_lock - ipc_owner - sys_module - sys_rawio - sys_chroot - sys_ptrace - sys_pacct - sys_admin - sys_boot - sys_nice - sys_resource - sys_time - sys_tty_config - mknod - lease - audit_write - audit_control - setfcap -} - -common cap2 -{ - mac_override # unused by SELinux - mac_admin - syslog - wake_alarm - block_suspend - audit_read - perfmon -} - -# -# Define the access vectors. -# -# class class_name [ inherits common_name ] { permission_name ... } - - -# -# Define the access vector interpretation for file-related objects. -# - -class filesystem -{ - mount - remount - unmount - getattr - relabelfrom - relabelto - associate - quotamod - quotaget - watch -} - -class dir -inherits file -{ - add_name - remove_name - reparent - search - rmdir -} - -class file -inherits file -{ - execute_no_trans - entrypoint -} - -class anon_inode -inherits file - -class lnk_file -inherits file - -class chr_file -inherits file -{ - execute_no_trans - entrypoint -} - -class blk_file -inherits file - -class sock_file -inherits file - -class fifo_file -inherits file - -class fd -{ - use -} - - -# -# Define the access vector interpretation for network-related objects. -# - -class socket -inherits socket - -class tcp_socket -inherits socket -{ - node_bind - name_connect -} - -class udp_socket -inherits socket -{ - node_bind -} - -class rawip_socket -inherits socket -{ - node_bind -} - -class node -{ - recvfrom - sendto -} - -class netif -{ - ingress - egress -} - -class netlink_socket -inherits socket - -class packet_socket -inherits socket - -class key_socket -inherits socket - -class unix_stream_socket -inherits socket -{ - connectto -} - -class unix_dgram_socket -inherits socket - -# -# Define the access vector interpretation for process-related objects -# - -class process -{ - fork - transition - sigchld # commonly granted from child to parent - sigkill # cannot be caught or ignored - sigstop # cannot be caught or ignored - signull # for kill(pid, 0) - signal # all other signals - ptrace - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - setexec - setfscreate - noatsecure - siginh - setrlimit - rlimitinh - dyntransition - setcurrent - execmem - execstack - execheap - setkeycreate - setsockcreate - getrlimit -} - -class process2 -{ - nnp_transition - nosuid_transition -} - -# -# Define the access vector interpretation for ipc-related objects -# - -class ipc -inherits ipc - -class sem -inherits ipc - -class msgq -inherits ipc -{ - enqueue -} - -class msg -{ - send - receive -} - -class shm -inherits ipc -{ - lock -} - - -# -# Define the access vector interpretation for the security server. -# - -class security -{ - compute_av - compute_create - compute_member - check_context - load_policy - compute_relabel - compute_user - setenforce # was avc_toggle in system class - setbool - setsecparam - setcheckreqprot - read_policy - validate_trans -} - - -# -# Define the access vector interpretation for system operations. -# - -class system -{ - ipc_info - syslog_read - syslog_mod - syslog_console - module_request - module_load -} - -# -# Define the access vector interpretation for controlling capabilities -# - -class capability -inherits cap - -class capability2 -inherits cap2 - -# -# Extended Netlink classes -# -class netlink_route_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_readpriv -} - -class netlink_tcpdiag_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_nflog_socket -inherits socket - -class netlink_xfrm_socket -inherits socket -{ - nlmsg_read - nlmsg_write -} - -class netlink_selinux_socket -inherits socket - -class netlink_audit_socket -inherits socket -{ - nlmsg_read - nlmsg_write - nlmsg_relay - nlmsg_readpriv - nlmsg_tty_audit -} - -class netlink_dnrt_socket -inherits socket - -# Define the access vector interpretation for controlling -# access to IPSec network data by association -# -class association -{ - sendto - recvfrom - setcontext - polmatch -} - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket -inherits socket - -class appletalk_socket -inherits socket - -class packet -{ - send - recv - relabelto - forward_in - forward_out -} - -class key -{ - view - read - write - search - link - setattr - create -} - -class dccp_socket -inherits socket -{ - node_bind - name_connect -} - -class memprotect -{ - mmap_zero -} - -# network peer labels -class peer -{ - recv -} - -class kernel_service -{ - use_as_override - create_files_as -} - -class tun_socket -inherits socket -{ - attach_queue -} - -class binder -{ - impersonate - call - set_context_mgr - transfer -} - -class netlink_iscsi_socket -inherits socket - -class netlink_fib_lookup_socket -inherits socket - -class netlink_connector_socket -inherits socket - -class netlink_netfilter_socket -inherits socket - -class netlink_generic_socket -inherits socket - -class netlink_scsitransport_socket -inherits socket - -class netlink_rdma_socket -inherits socket - -class netlink_crypto_socket -inherits socket - -class infiniband_pkey -{ - access -} - -class infiniband_endport -{ - manage_subnet -} - -# -# Define the access vector interpretation for controlling capabilities -# in user namespaces -# - -class cap_userns -inherits cap - -class cap2_userns -inherits cap2 - - -# -# Define the access vector interpretation for the new socket classes -# enabled by the extended_socket_class policy capability. -# - -# -# The next two classes were previously mapped to rawip_socket and therefore -# have the same definition as rawip_socket (until further permissions -# are defined). -# -class sctp_socket -inherits socket -{ - node_bind - name_connect - association -} - -class icmp_socket -inherits socket -{ - node_bind -} - -# -# The remaining network socket classes were previously -# mapped to the socket class and therefore have the -# same definition as socket. -# - -class ax25_socket -inherits socket - -class ipx_socket -inherits socket - -class netrom_socket -inherits socket - -class atmpvc_socket -inherits socket - -class x25_socket -inherits socket - -class rose_socket -inherits socket - -class decnet_socket -inherits socket - -class atmsvc_socket -inherits socket - -class rds_socket -inherits socket - -class irda_socket -inherits socket - -class pppox_socket -inherits socket - -class llc_socket -inherits socket - -class can_socket -inherits socket - -class tipc_socket -inherits socket - -class bluetooth_socket -inherits socket - -class iucv_socket -inherits socket - -class rxrpc_socket -inherits socket - -class isdn_socket -inherits socket - -class phonet_socket -inherits socket - -class ieee802154_socket -inherits socket - -class caif_socket -inherits socket - -class alg_socket -inherits socket - -class nfc_socket -inherits socket - -class vsock_socket -inherits socket - -class kcm_socket -inherits socket - -class qipcrtr_socket -inherits socket - -class smc_socket -inherits socket - -class bpf -{ - map_create - map_read - map_write - prog_load - prog_run -} - -class property_service -{ - set -} - -class service_manager -{ - add - find - list -} - -class hwservice_manager -{ - add - find - list -} - -class keystore_key -{ - get_state - get - insert - delete - exist - list - reset - password - lock - unlock - is_empty - sign - verify - grant - duplicate - clear_uid - add_auth - user_changed - gen_unique_id -} - -class keystore2 -{ - add_auth - change_password - change_user - clear_ns - clear_uid - early_boot_ended - get_auth_token - get_state - list - lock - report_off_body - reset - unlock -} - -class keystore2_key -{ - convert_storage_key_to_ephemeral - delete - gen_unique_id - get_info - grant - manage_blob - rebind - req_forced_op - update - use - use_dev_id -} - -class drmservice { - consumeRights - setPlaybackStatus - openDecryptSession - closeDecryptSession - initializeDecryptUnit - decrypt - finalizeDecryptUnit - pread -} - -class xdp_socket -inherits socket - -class perf_event -{ - open - cpu - kernel - tracepoint - read - write -} - -class lockdown -{ - integrity - confidentiality -} diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors new file mode 120000 index 000000000..42b36b65e --- /dev/null +++ b/microdroid/reqd_mask/access_vectors @@ -0,0 +1 @@ +../system/private/access_vectors \ No newline at end of file diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes deleted file mode 100644 index 200b030cc..000000000 --- a/microdroid/reqd_mask/security_classes +++ /dev/null @@ -1,167 +0,0 @@ -# FLASK - -# -# Define the security object classes -# - -# Classes marked as userspace are classes -# for userspace object managers - -class security -class process -class system -class capability - -# file-related classes -class filesystem -class file -class anon_inode -class dir -class fd -class lnk_file -class chr_file -class blk_file -class sock_file -class fifo_file - -# network-related classes -class socket -class tcp_socket -class udp_socket -class rawip_socket -class node -class netif -class netlink_socket -class packet_socket -class key_socket -class unix_stream_socket -class unix_dgram_socket - -# sysv-ipc-related classes -class sem -class msg -class msgq -class shm -class ipc - -# extended netlink sockets -class netlink_route_socket -class netlink_tcpdiag_socket -class netlink_nflog_socket -class netlink_xfrm_socket -class netlink_selinux_socket -class netlink_audit_socket -class netlink_dnrt_socket - -# IPSec association -class association - -# Updated Netlink class for KOBJECT_UEVENT family. -class netlink_kobject_uevent_socket - -class appletalk_socket - -class packet - -# Kernel access key retention -class key - -class dccp_socket - -class memprotect - -# network peer labels -class peer - -# Capabilities >= 32 -class capability2 - -# kernel services that need to override task security, e.g. cachefiles -class kernel_service - -class tun_socket - -class binder - -# Updated netlink classes for more recent netlink protocols. -class netlink_iscsi_socket -class netlink_fib_lookup_socket -class netlink_connector_socket -class netlink_netfilter_socket -class netlink_generic_socket -class netlink_scsitransport_socket -class netlink_rdma_socket -class netlink_crypto_socket - -# Infiniband -class infiniband_pkey -class infiniband_endport - -# Capability checks when on a non-init user namespace -class cap_userns -class cap2_userns - -# New socket classes introduced by extended_socket_class policy capability. -# These two were previously mapped to rawip_socket. -class sctp_socket -class icmp_socket -# These were previously mapped to socket. -class ax25_socket -class ipx_socket -class netrom_socket -class atmpvc_socket -class x25_socket -class rose_socket -class decnet_socket -class atmsvc_socket -class rds_socket -class irda_socket -class pppox_socket -class llc_socket -class can_socket -class tipc_socket -class bluetooth_socket -class iucv_socket -class rxrpc_socket -class isdn_socket -class phonet_socket -class ieee802154_socket -class caif_socket -class alg_socket -class nfc_socket -class vsock_socket -class kcm_socket -class qipcrtr_socket -class smc_socket - -class process2 - -class bpf - -class xdp_socket - -class perf_event - -# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 -class lockdown - -# Property service -class property_service # userspace - -# Service manager -class service_manager # userspace - -# hardware service manager # userspace -class hwservice_manager - -# Legacy Keystore key permissions -class keystore_key # userspace - -# Keystore 2.0 permissions -class keystore2 # userspace - -# Keystore 2.0 key permissions -class keystore2_key # userspace - -class drmservice # userspace -# FLASK diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes new file mode 120000 index 000000000..2466fd0fd --- /dev/null +++ b/microdroid/reqd_mask/security_classes @@ -0,0 +1 @@ +../system/private/security_classes \ No newline at end of file From 6772c50574d4e7daf4682f0303f8f37c3f600c67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 15 May 2024 13:12:40 +1000 Subject: [PATCH 2/2] Define new kernel security classes Define new classes and access vectors recognised by the kernel. Bug: 340491179 Test: boot and check logs for undefined class or permission Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b --- microdroid/system/private/access_vectors | 16 +++++++++++++--- microdroid/system/private/security_classes | 6 ++++-- private/access_vectors | 16 +++++++++++++--- private/security_classes | 6 ++++-- 4 files changed, 34 insertions(+), 10 deletions(-) diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors index 8c9b5daff..4fa7abe41 100644 --- a/microdroid/system/private/access_vectors +++ b/microdroid/system/private/access_vectors @@ -139,6 +139,8 @@ common cap2 block_suspend audit_read perfmon + checkpoint_restore + bpf } # @@ -664,6 +666,12 @@ inherits socket class smc_socket inherits socket +class xdp_socket +inherits socket + +class mctp_socket +inherits socket + class bpf { map_create @@ -703,9 +711,6 @@ class drmservice { pread } -class xdp_socket -inherits socket - class perf_event { open @@ -728,3 +733,8 @@ class io_uring sqpoll cmd } + +class user_namespace +{ + create +} diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes index e74092807..aba2b604c 100644 --- a/microdroid/system/private/security_classes +++ b/microdroid/system/private/security_classes @@ -133,13 +133,13 @@ class vsock_socket class kcm_socket class qipcrtr_socket class smc_socket +class xdp_socket +class mctp_socket class process2 class bpf -class xdp_socket - class perf_event class io_uring @@ -147,6 +147,8 @@ class io_uring # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 class lockdown +class user_namespace + # Property service class property_service # userspace diff --git a/private/access_vectors b/private/access_vectors index 60ec0ae0d..7a280c518 100644 --- a/private/access_vectors +++ b/private/access_vectors @@ -139,6 +139,8 @@ common cap2 block_suspend audit_read perfmon + checkpoint_restore + bpf } # @@ -664,6 +666,12 @@ inherits socket class smc_socket inherits socket +class xdp_socket +inherits socket + +class mctp_socket +inherits socket + class bpf { map_create @@ -772,9 +780,6 @@ class drmservice { pread } -class xdp_socket -inherits socket - class perf_event { open @@ -797,3 +802,8 @@ class io_uring sqpoll cmd } + +class user_namespace +{ + create +} diff --git a/private/security_classes b/private/security_classes index 99f947f29..1d13d9fa0 100644 --- a/private/security_classes +++ b/private/security_classes @@ -133,13 +133,13 @@ class vsock_socket class kcm_socket class qipcrtr_socket class smc_socket +class xdp_socket +class mctp_socket class process2 class bpf -class xdp_socket - class perf_event class io_uring @@ -147,6 +147,8 @@ class io_uring # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 class lockdown +class user_namespace + # Property service class property_service # userspace