From 6772c50574d4e7daf4682f0303f8f37c3f600c67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thi=C3=A9baud=20Weksteen?= Date: Wed, 15 May 2024 13:12:40 +1000 Subject: [PATCH] Define new kernel security classes Define new classes and access vectors recognised by the kernel. Bug: 340491179 Test: boot and check logs for undefined class or permission Change-Id: I9b32916ea231cf396aa326ed7e08cb14e4eb2c9b --- microdroid/system/private/access_vectors | 16 +++++++++++++--- microdroid/system/private/security_classes | 6 ++++-- private/access_vectors | 16 +++++++++++++--- private/security_classes | 6 ++++-- 4 files changed, 34 insertions(+), 10 deletions(-) diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors index 8c9b5daff..4fa7abe41 100644 --- a/microdroid/system/private/access_vectors +++ b/microdroid/system/private/access_vectors @@ -139,6 +139,8 @@ common cap2 block_suspend audit_read perfmon + checkpoint_restore + bpf } # @@ -664,6 +666,12 @@ inherits socket class smc_socket inherits socket +class xdp_socket +inherits socket + +class mctp_socket +inherits socket + class bpf { map_create @@ -703,9 +711,6 @@ class drmservice { pread } -class xdp_socket -inherits socket - class perf_event { open @@ -728,3 +733,8 @@ class io_uring sqpoll cmd } + +class user_namespace +{ + create +} diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes index e74092807..aba2b604c 100644 --- a/microdroid/system/private/security_classes +++ b/microdroid/system/private/security_classes @@ -133,13 +133,13 @@ class vsock_socket class kcm_socket class qipcrtr_socket class smc_socket +class xdp_socket +class mctp_socket class process2 class bpf -class xdp_socket - class perf_event class io_uring @@ -147,6 +147,8 @@ class io_uring # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 class lockdown +class user_namespace + # Property service class property_service # userspace diff --git a/private/access_vectors b/private/access_vectors index 60ec0ae0d..7a280c518 100644 --- a/private/access_vectors +++ b/private/access_vectors @@ -139,6 +139,8 @@ common cap2 block_suspend audit_read perfmon + checkpoint_restore + bpf } # @@ -664,6 +666,12 @@ inherits socket class smc_socket inherits socket +class xdp_socket +inherits socket + +class mctp_socket +inherits socket + class bpf { map_create @@ -772,9 +780,6 @@ class drmservice { pread } -class xdp_socket -inherits socket - class perf_event { open @@ -797,3 +802,8 @@ class io_uring sqpoll cmd } + +class user_namespace +{ + create +} diff --git a/private/security_classes b/private/security_classes index 99f947f29..1d13d9fa0 100644 --- a/private/security_classes +++ b/private/security_classes @@ -133,13 +133,13 @@ class vsock_socket class kcm_socket class qipcrtr_socket class smc_socket +class xdp_socket +class mctp_socket class process2 class bpf -class xdp_socket - class perf_event class io_uring @@ -147,6 +147,8 @@ class io_uring # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331 class lockdown +class user_namespace + # Property service class property_service # userspace