diff --git a/Android.mk b/Android.mk index 9feb39260..3384af3dd 100644 --- a/Android.mk +++ b/Android.mk @@ -301,6 +301,11 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true) enforce_sysprop_owner := false endif +enforce_debugfs_restriction := false +ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true) + enforce_debugfs_restriction := true +endif + ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) #$(warning no product shipping level defined) else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) @@ -631,6 +636,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) +$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -648,6 +654,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) +$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy_2.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -706,6 +713,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) +$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -723,6 +731,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) +$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy_2.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -826,6 +835,7 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) +$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(vendor_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -889,6 +899,7 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) +$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(odm_policy.conf): $(policy_files) $(M4) @@ -1155,6 +1166,7 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan) $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true +$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy.recovery.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -1392,6 +1404,7 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) +$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(base_plat_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -1424,6 +1437,7 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) +$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction) $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(base_plat_pub_policy.conf): $(policy_files) $(M4) $(transform-policy-to-conf) @@ -1542,6 +1556,7 @@ built_vendor_svc := built_plat_sepolicy := treble_sysprop_neverallow := enforce_sysprop_owner := +enforce_debugfs_restriction := mapping_policy := my_target_arch := pub_policy.cil := diff --git a/build/soong/policy.go b/build/soong/policy.go index 9d574c98e..75fbdf178 100644 --- a/build/soong/policy.go +++ b/build/soong/policy.go @@ -135,6 +135,13 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string { return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner()) } +func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string { + if c.cts() { + return "cts" + } + return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled()) +} + func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath { conf := android.PathForModuleOut(ctx, "conf").OutputPath rule := android.NewRuleBuilder(pctx, ctx) @@ -154,6 +161,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)). FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))). FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())). + FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)). Flag("-s"). Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)). Text("> ").Output(conf) diff --git a/definitions.mk b/definitions.mk index 95f297b1d..63c4d94af 100644 --- a/definitions.mk +++ b/definitions.mk @@ -15,6 +15,7 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \ -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \ + -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \ $(PRIVATE_TGT_RECOVERY) \ -s $(PRIVATE_POLICY_FILES) > $@ endef diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk index 20ceaa77e..a591a4892 100644 --- a/prebuilt_policy.mk +++ b/prebuilt_policy.mk @@ -61,6 +61,7 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT) $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY) $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow) $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner) +$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction) $(1): PRIVATE_POLICY_FILES := $$(policy_files) $(1): $$(policy_files) $$(M4) $$(transform-policy-to-conf) diff --git a/private/domain.te b/private/domain.te index 9e2e033b1..c7a34953e 100644 --- a/private/domain.te +++ b/private/domain.te @@ -367,7 +367,15 @@ neverallow { -update_engine -vold -zygote -} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; +} { fs_type + -sdcard_type +}:filesystem { mount remount relabelfrom relabelto }; + +enforce_debugfs_restriction(` + neverallow { + domain userdebug_or_eng(`-init') + } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto }; +') # Limit raw I/O to these allowlisted domains. Do not apply to debug builds. neverallow { diff --git a/public/init.te b/public/init.te index 893573e1c..b57abad4d 100644 --- a/public/init.te +++ b/public/init.te @@ -162,7 +162,19 @@ allowxperm init dev_type:blk_file ioctl BLKROSET; # which should all be assigned the contextmount_type attribute. # This can be done in device-specific policy via type or typeattribute # declarations. -allow init fs_type:filesystem ~relabelto; +allow init { + fs_type + enforce_debugfs_restriction(`-debugfs_type') +}:filesystem ~relabelto; + +# Allow init to mount/unmount debugfs in non-user builds. +enforce_debugfs_restriction(` + userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };') +') + +# Allow init to mount tracefs in /sys/kernel/tracing +allow init debugfs_tracing_debug:filesystem mount; + allow init unlabeled:filesystem ~relabelto; allow init contextmount_type:filesystem relabelto; diff --git a/public/recovery.te b/public/recovery.te index 63ba3ee8c..364988887 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -32,7 +32,7 @@ recovery_only(` # Mount filesystems. allow recovery rootfs:dir mounton; allow recovery tmpfs:dir mounton; - allow recovery fs_type:filesystem ~relabelto; + allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto; allow recovery unlabeled:filesystem ~relabelto; allow recovery contextmount_type:filesystem relabelto; diff --git a/public/te_macros b/public/te_macros index 1ce554100..8d15d4758 100644 --- a/public/te_macros +++ b/public/te_macros @@ -505,6 +505,23 @@ $1 # define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) +##################################### +# enforce_debugfs_restriction +# SELinux rules which apply to devices that enable debugfs restrictions. +# The keyword "cts" is used to insert markers to only CTS test the neverallows +# added by the macro for S-launch devices and newer. +define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1, +ifelse(target_enforce_debugfs_restriction, `cts', +# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +$1 +# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify +, ))) + +##################################### +# no_debugfs_restriction +# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds. +define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1)) + ##################################### # Compatible property only # SELinux rules which apply only to devices with compatible property