Revert "Revert "Add a neverallow for debugfs mounting""

This reverts commit f9dbb72654.
Issues with GSI testing fixed with
https://android-review.googlesource.com/c/platform/build/+/1686425/

Bug: 184381659
Test: manual
Change-Id: Icd07430c606e294dfaad2fc9b37d34e3dae8cbfc
This commit is contained in:
Hridya Valsaraju 2021-04-26 16:32:17 -07:00
parent 351331b015
commit a885dd84c7
8 changed files with 65 additions and 3 deletions

View file

@ -301,6 +301,11 @@ ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
enforce_sysprop_owner := false enforce_sysprop_owner := false
endif endif
enforce_debugfs_restriction := false
ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
enforce_debugfs_restriction := true
endif
ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
#$(warning no product shipping level defined) #$(warning no product shipping level defined)
else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),) else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
@ -631,6 +636,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4) $(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -648,6 +654,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4) $(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -706,6 +713,7 @@ $(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4) $(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -723,6 +731,7 @@ $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4) $(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -826,6 +835,7 @@ $(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) $(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4) $(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -889,6 +899,7 @@ $(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT) $(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) $(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4) $(odm_policy.conf): $(policy_files) $(M4)
@ -1155,6 +1166,7 @@ $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage) $(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) $(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true $(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files) $(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4) $(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -1392,6 +1404,7 @@ $(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) $(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4) $(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -1424,6 +1437,7 @@ $(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY) $(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow) $(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner) $(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files) $(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4) $(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf) $(transform-policy-to-conf)
@ -1542,6 +1556,7 @@ built_vendor_svc :=
built_plat_sepolicy := built_plat_sepolicy :=
treble_sysprop_neverallow := treble_sysprop_neverallow :=
enforce_sysprop_owner := enforce_sysprop_owner :=
enforce_debugfs_restriction :=
mapping_policy := mapping_policy :=
my_target_arch := my_target_arch :=
pub_policy.cil := pub_policy.cil :=

View file

@ -135,6 +135,13 @@ func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner()) return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
} }
func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
if c.cts() {
return "cts"
}
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
}
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath { func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
conf := android.PathForModuleOut(ctx, "conf").OutputPath conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx) rule := android.NewRuleBuilder(pctx, ctx)
@ -154,6 +161,7 @@ func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.Ou
FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)). FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))). FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())). FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
Flag("-s"). Flag("-s").
Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)). Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf) Text("> ").Output(conf)

View file

@ -15,6 +15,7 @@ $(hide) $(M4) --fatal-warnings $(PRIVATE_ADDITIONAL_M4DEFS) \
-D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \ -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \ -D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \ -D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
-D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \ $(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@ -s $(PRIVATE_POLICY_FILES) > $@
endef endef

View file

@ -61,6 +61,7 @@ $(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY) $(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow) $(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner) $(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
$(1): PRIVATE_POLICY_FILES := $$(policy_files) $(1): PRIVATE_POLICY_FILES := $$(policy_files)
$(1): $$(policy_files) $$(M4) $(1): $$(policy_files) $$(M4)
$$(transform-policy-to-conf) $$(transform-policy-to-conf)

View file

@ -367,7 +367,15 @@ neverallow {
-update_engine -update_engine
-vold -vold
-zygote -zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto }; } { fs_type
-sdcard_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
neverallow {
domain userdebug_or_eng(`-init')
} { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
')
# Limit raw I/O to these allowlisted domains. Do not apply to debug builds. # Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
neverallow { neverallow {

View file

@ -162,7 +162,19 @@ allowxperm init dev_type:blk_file ioctl BLKROSET;
# which should all be assigned the contextmount_type attribute. # which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute # This can be done in device-specific policy via type or typeattribute
# declarations. # declarations.
allow init fs_type:filesystem ~relabelto; allow init {
fs_type
enforce_debugfs_restriction(`-debugfs_type')
}:filesystem ~relabelto;
# Allow init to mount/unmount debugfs in non-user builds.
enforce_debugfs_restriction(`
userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
')
# Allow init to mount tracefs in /sys/kernel/tracing
allow init debugfs_tracing_debug:filesystem mount;
allow init unlabeled:filesystem ~relabelto; allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto; allow init contextmount_type:filesystem relabelto;

View file

@ -32,7 +32,7 @@ recovery_only(`
# Mount filesystems. # Mount filesystems.
allow recovery rootfs:dir mounton; allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton; allow recovery tmpfs:dir mounton;
allow recovery fs_type:filesystem ~relabelto; allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto; allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto; allow recovery contextmount_type:filesystem relabelto;

View file

@ -505,6 +505,23 @@ $1
# #
define(`not_full_treble', ifelse(target_full_treble, `true', , $1)) define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
# enforce_debugfs_restriction
# SELinux rules which apply to devices that enable debugfs restrictions.
# The keyword "cts" is used to insert markers to only CTS test the neverallows
# added by the macro for S-launch devices and newer.
define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
ifelse(target_enforce_debugfs_restriction, `cts',
# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
$1
# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
, )))
#####################################
# no_debugfs_restriction
# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
##################################### #####################################
# Compatible property only # Compatible property only
# SELinux rules which apply only to devices with compatible property # SELinux rules which apply only to devices with compatible property