Initial selinux policy support for memfd

Move all app tmpfs types to appdomain_tmpfs. These are still protected
by mls categories and DAC. TODO clean up other app tmpfs types in a
separate change.

Treble-ize tmpfs passing between graphics composer HAL and
surfaceflinger.

Bug: 122854450
Test: boot Blueline with memfd enabled.
Change-Id: Ib98aaba062f10972af6ae80fb85b7a0f60a32eee
This commit is contained in:
Jeff Vander Stoep 2019-01-29 14:43:45 -08:00 committed by Jeffrey Vander Stoep
parent 37ab42e542
commit 9f5d0d90a3
12 changed files with 34 additions and 23 deletions

View file

@ -1,15 +1,3 @@
# TODO: deal with tmpfs_domain pub/priv split properly
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
# Read from (but not create) system_server buffers transferred through
# ashmem, e.g. battery stats.
allow appdomain system_server_tmpfs:file read;
# Get info from priv_app through ashmem, such as contact
# info etc.
allow appdomain priv_app_tmpfs:file read;
# Allow apps to read the Test Harness Mode property. This property is used in
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)

View file

@ -7,8 +7,6 @@
( new_objects
activity_task_service
adb_service
app_binding_service
app_prediction_service
apex_data_file
apex_mnt_dir
apex_key_file
@ -17,6 +15,9 @@
apexd_exec
apexd_prop
apexd_tmpfs
appdomain_tmpfs
app_binding_service
app_prediction_service
app_zygote
app_zygote_tmpfs
biometric_service
@ -47,6 +48,7 @@
external_vibrator_service
hal_atrace_hwservice
hal_face_hwservice
hal_graphics_composer_server_tmpfs
hal_health_storage_hwservice
hal_input_classifier_hwservice
hal_power_stats_hwservice

View file

@ -2,3 +2,6 @@ typeattribute mediaextractor coredomain;
init_daemon_domain(mediaextractor)
tmpfs_domain(mediaextractor)
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };

View file

@ -57,14 +57,14 @@ mlsconstrain dir_file_class_set { create relabelfrom relabelto }
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != priv_app_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
@ -76,7 +76,7 @@ mlsconstrain dir { read getattr search }
(t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
@ -84,7 +84,7 @@ mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file or t2 == privapp_data_file or t2 == priv_app_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the

View file

@ -4,6 +4,7 @@ typeattribute surfaceflinger coredomain;
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
@ -13,6 +14,7 @@ read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)

View file

@ -13,6 +13,7 @@ tmpfs_domain(system_server)
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
allow system_server zygote_tmpfs:file read;
allow system_server appdomain_tmpfs:file { getattr map read write };
# For art.
allow system_server dalvikcache_data_file:dir r_dir_perms;

View file

@ -6,6 +6,7 @@
### extend from this policy. Only policies which should apply to ALL
### zygote spawned apps should be added here.
###
type appdomain_tmpfs, file_type;
# WebView and other application-specific JIT compilers
allow appdomain self:process execmem;
@ -351,6 +352,12 @@ with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
# Read access to FDs from the DropboxManagerService.
allow appdomain dropbox_data_file:file { getattr read };
# Read tmpfs types from these processes.
allow appdomain audioserver_tmpfs:file { getattr map read write };
allow appdomain system_server_tmpfs:file { getattr map read write };
allow appdomain zygote_tmpfs:file { map read };
###
### Neverallow rules
###

View file

@ -1,6 +1,12 @@
type hal_graphics_composer_server_tmpfs, file_type;
attribute hal_graphics_composer_client_tmpfs;
expandattribute hal_graphics_composer_client_tmpfs true;
# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)

View file

@ -1,2 +1,3 @@
# surfaceflinger - display compositor service
type surfaceflinger, domain;
type surfaceflinger_tmpfs, file_type;

View file

@ -3,4 +3,4 @@
# Most of the framework services run in this process.
#
type system_server, domain;
type system_server_tmpfs, file_type;
type system_server_tmpfs, file_type, mlstrustedobject;

View file

@ -168,10 +168,9 @@ domain_auto_trans(init, $1_exec, $1)
# Allow a base set of permissions required for all apps.
define(`app_domain', `
typeattribute $1 appdomain;
# Label ashmem objects with our own unique type.
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
# The Android security model guarantees the confidentiality and integrity

View file

@ -3,6 +3,8 @@ hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
type_transition hal_graphics_composer_default tmpfs:file hal_graphics_composer_server_tmpfs;
allow hal_graphics_composer_default hal_graphics_composer_server_tmpfs:file { getattr map read write };
# b/68864350
dontaudit hal_graphics_composer_default unlabeled:dir search;