SEPolicy for boringssl_self_test.

This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f
2019-08-28 22:08:50 +01:00 · 2019-08-28 22:08:50 +01:00 · 353ad0fd47
commit 353ad0fd47
parent f6bd00af8b
5 changed files with 31 additions and 2 deletions
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts
@ -1,5 +1,6 @@
 #############################
 # System files
 #
-(/.*)?                   u:object_r:system_file:s0
-/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
+(/.*)?                          u:object_r:system_file:s0
+/lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
+/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
--- a/private/boringssl_self_test.te
+++ b/private/boringssl_self_test.te
@ -0,0 +1,22 @@
+type boringssl_self_test, domain;
+type boringssl_self_test_exec, system_file_type, exec_type, file_type;
+type boringssl_self_test_marker, file_type;
+
+typeattribute boringssl_self_test coredomain;
+
+# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
+init_daemon_domain(boringssl_self_test)
+
+# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
+# files.
+allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
+allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;
+
+# No other process should be able to create these files because their existence causes the
+# boringssl self test to be skipped.
+neverallow {
+  domain
+  -boringssl_self_test
+  -init
+  -vendor_init
+} boringssl_self_test_marker:file no_rw_file_perms;
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
  ( new_objects
+    boringssl_self_test
    charger_prop
    cold_boot_done_prop
    platform_compat_service
--- a/private/domain.te
+++ b/private/domain.te
@ -89,6 +89,9 @@ userdebug_or_eng(`
 allow domain linkerconfig_file:dir search;
 allow domain linkerconfig_file:file r_file_perms;

+# Allow all processes to check for the existence of the boringssl_self_test_marker files.
+allow domain boringssl_self_test_marker:dir search;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow {
--- a/private/file_contexts
+++ b/private/file_contexts
@ -83,6 +83,7 @@
 /dev/block/vold/.+	u:object_r:vold_device:s0
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0
+/dev/boringssl/selftest(/.*)?	u:object_r:boringssl_self_test_marker:s0
 /dev/bus/usb(.*)?       u:object_r:usb_device:s0
 /dev/console		u:object_r:console_device:s0
 /dev/cpu_variant:.*     u:object_r:dev_cpu_variant:s0
@ -188,6 +189,7 @@
 /system/bin/auditctl	u:object_r:auditctl_exec:s0
 /system/bin/bcc                 u:object_r:rs_exec:s0
 /system/bin/blank_screen	u:object_r:blank_screen_exec:s0
+/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
 /system/bin/charger		u:object_r:charger_exec:s0
 /system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
 /system/bin/mke2fs		u:object_r:e2fs_exec:s0