From 766caba5deef2ee02ac8aa1d406a7dab4735dfe1 Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Mon, 14 Feb 2022 14:33:37 +0000 Subject: [PATCH] Modify sepolicy for compos key changes Add the compos_key_helper domain for the process which has access to the signing key, make sure it can't be crashdumped. Also extend that protection to diced & its HAL. Rename compos_verify_key to compos_verify, because it doesn't verify keys any more. Move exec types used by Microdroid to file.te in the host rather than their own dedicated files. Bug: 218494522 Test: atest CompOsSigningHostTest CompOsDenialHostTest Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1 --- apex/com.android.compos-file_contexts | 5 ++-- microdroid/system/private/compos.te | 7 +++++- .../system/private/compos_key_helper.te | 20 ++++++++++++++++ microdroid/system/private/diced.te | 3 +++ microdroid/system/private/domain.te | 8 ++++--- microdroid/system/public/attributes | 3 +++ microdroid/vendor/hal_dice_default.te | 3 +++ private/compos.te | 1 - private/compos_verify.te | 23 +++++++++++++++++++ private/compos_verify_key.te | 20 ---------------- private/file.te | 5 ++++ private/odsign.te | 4 ++-- 12 files changed, 73 insertions(+), 29 deletions(-) create mode 100644 microdroid/system/private/compos_key_helper.te delete mode 100644 private/compos.te create mode 100644 private/compos_verify.te delete mode 100644 private/compos_verify_key.te diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts index 0502084a5..799c2c435 100644 --- a/apex/com.android.compos-file_contexts +++ b/apex/com.android.compos-file_contexts @@ -1,4 +1,5 @@ (/.*)? u:object_r:system_file:s0 -/bin/compsvc u:object_r:compos_exec:s0 -/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0 +/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0 +/bin/compos_verify u:object_r:compos_verify_exec:s0 /bin/composd u:object_r:composd_exec:s0 +/bin/compsvc u:object_r:compos_exec:s0 diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te index d9edb67b5..c9fc32c4a 100644 --- a/microdroid/system/private/compos.te +++ b/microdroid/system/private/compos.te @@ -30,5 +30,10 @@ dontaudit compos self:dir write; # See b/35323867#comment3 dontaudit compos self:global_capability_class_set dac_override; -# Allow domain transition into odrefresh. +# Allow running odrefresh in its own domain domain_auto_trans(compos, odrefresh_exec, odrefresh) + +# Allow running compos_key_helper in its own domain +domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper) +# And killing it on error +allow compos compos_key_helper:process sigkill; diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te new file mode 100644 index 000000000..56f8d2a82 --- /dev/null +++ b/microdroid/system/private/compos_key_helper.te @@ -0,0 +1,20 @@ +# Helper process for compos to perform key derivation & signing +type compos_key_helper, domain, coredomain; +type compos_key_helper_exec, exec_type, file_type, system_file_type; + +# This domain has access to DICE secrets & the private signing key. +# Block crash dumps to ensure the secrets are not leaked. +typeattribute compos_key_helper no_crash_dump_domain; + +# Allow using DICE binder service +binder_use(compos_key_helper); +allow compos_key_helper dice_node_service:service_manager find; +binder_call(compos_key_helper, diced); +allow compos_key_helper diced:diced { get_attestation_chain derive }; + +# Communicate with compos via stdin/stdout pipes +allow compos_key_helper compos:fd use; +allow compos_key_helper compos:fifo_file { getattr read write }; + +# Write to /dev/kmsg. +allow compos_key_helper kmsg_device:chr_file rw_file_perms; diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te index 9530794d7..2dba244ae 100644 --- a/microdroid/system/private/diced.te +++ b/microdroid/system/private/diced.te @@ -1,6 +1,9 @@ type diced, domain, coredomain; type diced_exec, system_file_type, exec_type, file_type; +# Block crash dumps to ensure the DICE secrets are not leaked. +typeattribute diced no_crash_dump_domain; + # diced can be started by init init_daemon_domain(diced) diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te index ae97f75c8..ab655aa79 100644 --- a/microdroid/system/private/domain.te +++ b/microdroid/system/private/domain.te @@ -263,9 +263,7 @@ allow domain kernel:key search; # Transition to crash_dump when /system/bin/crash_dump* is executed. # This occurs when the process crashes. -# We do not apply this to the su domain to avoid interfering with -# tests (b/114136122) -domain_auto_trans(domain, crash_dump_exec, crash_dump); +domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump); allow domain crash_dump:process sigchld; # Properties that microdroid doesn't have but some still want to read. @@ -605,3 +603,7 @@ neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *; # Linux lockdown "integrity" level is enforced for user builds. neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; + +# These domains must not be crash dumped +neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms; +neverallow no_crash_dump_domain crash_dump:process { transition dyntransition }; diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes index e3258aec8..cdf686b8b 100644 --- a/microdroid/system/public/attributes +++ b/microdroid/system/public/attributes @@ -373,3 +373,6 @@ attribute fusefs_type; # All types run from microdroid_manager as a payload attribute microdroid_payload; + +# Domains that are blocked from producing a crash dump +attribute no_crash_dump_domain; diff --git a/microdroid/vendor/hal_dice_default.te b/microdroid/vendor/hal_dice_default.te index c20355079..88d1903b6 100644 --- a/microdroid/vendor/hal_dice_default.te +++ b/microdroid/vendor/hal_dice_default.te @@ -1,6 +1,9 @@ type hal_dice_default, domain; hal_server_domain(hal_dice_default, hal_dice) +# Block crash dumps to ensure the DICE secrets are not leaked. +typeattribute hal_dice_default no_crash_dump_domain; + type hal_dice_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_dice_default) diff --git a/private/compos.te b/private/compos.te deleted file mode 100644 index ffbb33e21..000000000 --- a/private/compos.te +++ /dev/null @@ -1 +0,0 @@ -type compos_exec, exec_type, file_type, system_file_type; diff --git a/private/compos_verify.te b/private/compos_verify.te new file mode 100644 index 000000000..0a281f83b --- /dev/null +++ b/private/compos_verify.te @@ -0,0 +1,23 @@ +# Run by odsign to verify a CompOS signature +type compos_verify, domain, coredomain; +type compos_verify_exec, exec_type, file_type, system_file_type; + +# Start a VM +binder_use(compos_verify); +virtualizationservice_use(compos_verify); + +# Access instance image files +allow compos_verify apex_module_data_file:dir search; +r_dir_file(compos_verify, apex_compos_data_file) + +# Read CompOS info & signature files +allow compos_verify apex_art_data_file:dir search; +allow compos_verify apex_art_data_file:file r_file_perms; + +# Allow odsign to redirect our stdout/stderr to log +allow compos_verify odsign:fd use; +allow compos_verify odsign_devpts:chr_file { read write }; + +# Only odsign can enter the domain via exec +neverallow { domain -odsign } compos_verify:process transition; +neverallow * compos_verify:process dyntransition; diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te deleted file mode 100644 index e55ff1748..000000000 --- a/private/compos_verify_key.te +++ /dev/null @@ -1,20 +0,0 @@ -# Run by odsign to verify a CompOs instance's keys. -type compos_verify_key, domain, coredomain; - -type compos_verify_key_exec, exec_type, file_type, system_file_type; - -binder_use(compos_verify_key); -virtualizationservice_use(compos_verify_key); - -# Access the image & key files, delete on failure, rename pending to current -allow compos_verify_key apex_module_data_file:dir search; -allow compos_verify_key apex_compos_data_file:dir create_dir_perms; -allow compos_verify_key apex_compos_data_file:file create_file_perms; - -# Allow odsign to redirect our stdout/stderr to log -allow compos_verify_key odsign:fd use; -allow compos_verify_key odsign_devpts:chr_file { read write }; - -# Only odsign can enter the domain via exec -neverallow { domain -odsign } compos_verify_key:process transition; -neverallow * compos_verify_key:process dyntransition; diff --git a/private/file.te b/private/file.te index 9dd0615de..ec3944ef3 100644 --- a/private/file.te +++ b/private/file.te @@ -88,6 +88,11 @@ type kvm_device, dev_type; # /apex/com.android.virt/bin/fd_server type fd_server_exec, system_file_type, exec_type, file_type; +# /apex/com.android.compos/bin/compsvc +type compos_exec, exec_type, file_type, system_file_type; +# /apex/com.android.compos/bin/compos_key_helper +type compos_key_helper_exec, exec_type, file_type, system_file_type; + # /metadata/sepolicy type sepolicy_metadata_file, file_type; diff --git a/private/odsign.te b/private/odsign.te index bf097d7bb..381cf179b 100644 --- a/private/odsign.te +++ b/private/odsign.te @@ -54,8 +54,8 @@ domain_auto_trans(odsign, odrefresh_exec, odrefresh) # Run fsverity_init to add key to fsverity keyring domain_auto_trans(odsign, fsverity_init_exec, fsverity_init) -# Run compos_verify_key to verify CompOs instances -domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key) +# Run compos_verify to verify CompOs signatures +domain_auto_trans(odsign, compos_verify_exec, compos_verify) # only odsign can set odsign sysprop set_prop(odsign, odsign_prop)