Grant lockdown integrity to all processes

The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.

Upstream, the support for that access vector was removed from kernel
5.16 onwards.

It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).

Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.

Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
This commit is contained in:
Thiébaud Weksteen 2024-02-21 16:29:38 +11:00
parent f9f826fb30
commit 99a4cbcee7
2 changed files with 8 additions and 13 deletions

View file

@ -161,9 +161,6 @@ create_pty(untrusted_app_all)
userdebug_or_eng(` userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms; allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE }; allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
# The use of debugfs kcov is considered a breach of the kernel integrity
# according to the heuristic of lockdown.
allow untrusted_app_all self:lockdown integrity;
') ')
# Allow running a VM for test/demo purposes. Note that access to the # Allow running a VM for test/demo purposes. Note that access to the

View file

@ -259,13 +259,14 @@ allow domain debugfs_tracing:dir search;
allow domain debugfs_tracing_debug:dir search; allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms; allow domain debugfs_trace_marker:file w_file_perms;
# Linux lockdown mode offers coarse-grained definitions for access controls. # Linux lockdown mode offered coarse-grained definitions for access controls. In
# The "confidentiality" level detects access to tracefs or the perf subsystem. # previous versions of the policy, the integrity permission was neverallowed.
# This overlaps with more precise declarations in Android's policy. The # It was found that this permission mainly duplicates pre-existing rules in
# debugfs_trace_marker above is an example in which all processes should have # the policy (see b/285443587). Additionally, some access were found to be
# some access to tracefs. Therefore, allow all domains to access this level. # required (b/269377822). The access vector was removed from kernel 5.16
# The "integrity" level is however enforced. # onwards. Grant unconditional access, these rules should be removed from the
allow domain self:lockdown confidentiality; # policy once no kernel <5.16 are supported.
allow domain self:lockdown { confidentiality integrity };
# Filesystem access. # Filesystem access.
allow domain fs_type:filesystem getattr; allow domain fs_type:filesystem getattr;
@ -1310,6 +1311,3 @@ neverallow {
} ashmem_device:chr_file open; } ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
# Linux lockdown "integrity" level is enforced for user builds.
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;