Merge "Grant lockdown integrity to all processes" into android14-tests-dev
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
9dba1b8892
6 changed files with 24 additions and 39 deletions
|
|
@ -166,9 +166,6 @@ create_pty(untrusted_app_all)
|
|||
userdebug_or_eng(`
|
||||
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||
# The use of debugfs kcov is considered a breach of the kernel integrity
|
||||
# according to the heuristic of lockdown.
|
||||
allow untrusted_app_all self:lockdown integrity;
|
||||
')
|
||||
|
||||
# Allow running a VM for test/demo purposes. Note that access the service is
|
||||
|
|
|
|||
|
|
@ -281,13 +281,14 @@ allow domain debugfs_tracing:dir search;
|
|||
allow domain debugfs_tracing_debug:dir search;
|
||||
allow domain debugfs_trace_marker:file w_file_perms;
|
||||
|
||||
# Linux lockdown mode offers coarse-grained definitions for access controls.
|
||||
# The "confidentiality" level detects access to tracefs or the perf subsystem.
|
||||
# This overlaps with more precise declarations in Android's policy. The
|
||||
# debugfs_trace_marker above is an example in which all processes should have
|
||||
# some access to tracefs. Therefore, allow all domains to access this level.
|
||||
# The "integrity" level is however enforced.
|
||||
allow domain self:lockdown confidentiality;
|
||||
# Linux lockdown mode offered coarse-grained definitions for access controls. In
|
||||
# previous versions of the policy, the integrity permission was neverallowed.
|
||||
# It was found that this permission mainly duplicates pre-existing rules in
|
||||
# the policy (see b/285443587). Additionally, some access were found to be
|
||||
# required (b/269377822). The access vector was removed from kernel 5.16
|
||||
# onwards. Grant unconditional access, these rules should be removed from the
|
||||
# policy once no kernel <5.16 are supported.
|
||||
allow domain self:lockdown { confidentiality integrity };
|
||||
|
||||
# Filesystem access.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
|
|
@ -1349,6 +1350,3 @@ neverallow {
|
|||
} ashmem_device:chr_file open;
|
||||
|
||||
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
||||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
|
||||
|
|
|
|||
|
|
@ -161,9 +161,6 @@ create_pty(untrusted_app_all)
|
|||
userdebug_or_eng(`
|
||||
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||
# The use of debugfs kcov is considered a breach of the kernel integrity
|
||||
# according to the heuristic of lockdown.
|
||||
allow untrusted_app_all self:lockdown integrity;
|
||||
')
|
||||
|
||||
# Allow running a VM for test/demo purposes. Note that access to the
|
||||
|
|
|
|||
|
|
@ -256,13 +256,14 @@ allow domain debugfs_tracing:dir search;
|
|||
allow domain debugfs_tracing_debug:dir search;
|
||||
allow domain debugfs_trace_marker:file w_file_perms;
|
||||
|
||||
# Linux lockdown mode offers coarse-grained definitions for access controls.
|
||||
# The "confidentiality" level detects access to tracefs or the perf subsystem.
|
||||
# This overlaps with more precise declarations in Android's policy. The
|
||||
# debugfs_trace_marker above is an example in which all processes should have
|
||||
# some access to tracefs. Therefore, allow all domains to access this level.
|
||||
# The "integrity" level is however enforced.
|
||||
allow domain self:lockdown confidentiality;
|
||||
# Linux lockdown mode offered coarse-grained definitions for access controls. In
|
||||
# previous versions of the policy, the integrity permission was neverallowed.
|
||||
# It was found that this permission mainly duplicates pre-existing rules in
|
||||
# the policy (see b/285443587). Additionally, some access were found to be
|
||||
# required (b/269377822). The access vector was removed from kernel 5.16
|
||||
# onwards. Grant unconditional access, these rules should be removed from the
|
||||
# policy once no kernel <5.16 are supported.
|
||||
allow domain self:lockdown { confidentiality integrity };
|
||||
|
||||
# Filesystem access.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
|
|
@ -1283,9 +1284,6 @@ neverallow {
|
|||
|
||||
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
||||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
|
||||
|
||||
# Allow everyone to read media server-configurable flags, so that libstagefright can be
|
||||
# configured using server-configurable flags
|
||||
get_prop(domain, device_config_media_native_prop)
|
||||
|
|
|
|||
|
|
@ -161,9 +161,6 @@ create_pty(untrusted_app_all)
|
|||
userdebug_or_eng(`
|
||||
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||
# The use of debugfs kcov is considered a breach of the kernel integrity
|
||||
# according to the heuristic of lockdown.
|
||||
allow untrusted_app_all self:lockdown integrity;
|
||||
')
|
||||
|
||||
# Allow running a VM for test/demo purposes. Note that access to the
|
||||
|
|
|
|||
|
|
@ -256,13 +256,14 @@ allow domain debugfs_tracing:dir search;
|
|||
allow domain debugfs_tracing_debug:dir search;
|
||||
allow domain debugfs_trace_marker:file w_file_perms;
|
||||
|
||||
# Linux lockdown mode offers coarse-grained definitions for access controls.
|
||||
# The "confidentiality" level detects access to tracefs or the perf subsystem.
|
||||
# This overlaps with more precise declarations in Android's policy. The
|
||||
# debugfs_trace_marker above is an example in which all processes should have
|
||||
# some access to tracefs. Therefore, allow all domains to access this level.
|
||||
# The "integrity" level is however enforced.
|
||||
allow domain self:lockdown confidentiality;
|
||||
# Linux lockdown mode offered coarse-grained definitions for access controls. In
|
||||
# previous versions of the policy, the integrity permission was neverallowed.
|
||||
# It was found that this permission mainly duplicates pre-existing rules in
|
||||
# the policy (see b/285443587). Additionally, some access were found to be
|
||||
# required (b/269377822). The access vector was removed from kernel 5.16
|
||||
# onwards. Grant unconditional access, these rules should be removed from the
|
||||
# policy once no kernel <5.16 are supported.
|
||||
allow domain self:lockdown { confidentiality integrity };
|
||||
|
||||
# Filesystem access.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
|
|
@ -1287,9 +1288,6 @@ neverallow {
|
|||
|
||||
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
||||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
|
||||
|
||||
# Allow everyone to read media server-configurable flags, so that libstagefright can be
|
||||
# configured using server-configurable flags
|
||||
get_prop(domain, device_config_media_native_prop)
|
||||
|
|
|
|||
Loading…
Reference in a new issue