From 3a4c68dd8335c21275ada7a249190aa3d4afc58f Mon Sep 17 00:00:00 2001 From: Kalesh Singh Date: Tue, 9 Apr 2024 16:24:48 -0700 Subject: [PATCH] sepolicy: Add rules for /sys/kernel/mm/pgsize_migration/enabled The dynamic linker needs to read this node to determine how it should load ELF files. Allow the node to be enabled/disabled by init. Bug: 330117029 Bug: 327600007 Bug: 330767927 Bug: 328266487 Bug: 329803029 Test: Free Fire Chaos App launches Test: no avc deined in logcat Change-Id: I2b35d6aebe39bf3e1e7489b47f23a817e477ef72 --- private/domain.te | 8 ++++++++ private/file.te | 3 +++ private/genfs_contexts | 1 + private/init.te | 1 + private/isolated_app_all.te | 1 + 5 files changed, 14 insertions(+) diff --git a/private/domain.te b/private/domain.te index da52d5fbc..ac96d852f 100644 --- a/private/domain.te +++ b/private/domain.te @@ -338,6 +338,10 @@ with_asan(`allow domain system_asan_options_file:file r_file_perms;') allow domain apex_mnt_dir:dir { getattr search }; allow domain apex_mnt_dir:lnk_file r_file_perms; +# Allow reading /sys/kernel/mm/pgsize_migration/enabled +allow domain sysfs_pgsize_migration:dir search; +allow domain sysfs_pgsize_migration:file r_file_perms; + # Allow everyone to read media server-configurable flags, so that libstagefright can be # configured using server-configurable flags get_prop(domain, device_config_media_native_prop) @@ -2136,3 +2140,7 @@ neverallow { domain -init -aconfigd -system_server } aconfig_storage_metadata_fi neverallow { domain -dexopt_chroot_setup -init } proc:{ file dir } mounton; neverallow { domain -dexopt_chroot_setup -init -zygote } proc_type:{ file dir } mounton; + +# Only init/vendor are allowed to write sysfs_pgsize_migration; +# ueventd needs write access to all sysfs files. +neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms; diff --git a/private/file.te b/private/file.te index 7b2507cbd..595ae41f1 100644 --- a/private/file.te +++ b/private/file.te @@ -171,6 +171,9 @@ type pre_reboot_dexopt_artd_file, file_type; # /data/app-metadata - extracted app metadata bundles from APKs type apk_metadata_file, file_type, data_file_type, core_data_file_type; +# Type for /sys/kernel/mm/pgsize_migration/enabled +type sysfs_pgsize_migration, fs_type, sysfs_type; + # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow cgroup tmpfs:filesystem associate; diff --git a/private/genfs_contexts b/private/genfs_contexts index dd93f0437..635e00e55 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -169,6 +169,7 @@ genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0 genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0 genfscon sysfs /kernel/mm/lru_gen/enabled u:object_r:sysfs_lru_gen_enabled:s0 +genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0 diff --git a/private/init.te b/private/init.te index a83e538e3..8fad9e046 100644 --- a/private/init.te +++ b/private/init.te @@ -543,6 +543,7 @@ allow init { sysfs_fs_f2fs sysfs_dm sysfs_lru_gen_enabled + sysfs_pgsize_migration }:file w_file_perms; allow init { diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te index 1ffcabe6e..8c1fdcbf7 100644 --- a/private/isolated_app_all.te +++ b/private/isolated_app_all.te @@ -100,6 +100,7 @@ neverallow { isolated_app_all -isolated_compute_app } { -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852) -sysfs_fs_fuse_features -sysfs_fs_incfs_features + -sysfs_pgsize_migration }:file no_rw_file_perms; # No creation of sockets families other than AF_UNIX sockets.