sepolicy: rules for uid/pid cgroups v2 hierarchy
Bug: 168907513
Test: verified the correct working of the v2 uid/pid hierarchy in normal
and recovery modes
This reverts commit aa8bb3a29b.
Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47
This commit is contained in:
Marco Ballesio
parent
e8d2732651
commit
aa4ce95c6f
35 changed files with 55 additions and 4 deletions
|
|
@ -228,6 +228,7 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
|
|||
|
||||
# Untrusted apps are not allowed to use cgroups.
|
||||
neverallow all_untrusted_apps cgroup:file *;
|
||||
neverallow all_untrusted_apps cgroup_v2:file *;
|
||||
|
||||
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
|
||||
# must not use it.
|
||||
|
|
|
|||
|
|
@ -54,6 +54,10 @@ allow domain cgroup:dir search;
|
|||
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
||||
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
||||
|
||||
allow domain cgroup_v2:dir search;
|
||||
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
|
||||
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
|
||||
|
||||
allow domain cgroup_rc_file:dir search;
|
||||
allow domain cgroup_rc_file:file r_file_perms;
|
||||
allow domain task_profiles_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ typeattribute logpersist coredomain;
|
|||
userdebug_or_eng(`
|
||||
|
||||
r_dir_file(logpersist, cgroup)
|
||||
r_dir_file(logpersist, cgroup_v2)
|
||||
|
||||
allow logpersist misc_logd_file:file create_file_perms;
|
||||
allow logpersist misc_logd_file:dir rw_dir_perms;
|
||||
|
|
|
|||
|
|
@ -240,6 +240,7 @@ neverallow priv_app trace_data_file:file { no_w_file_perms open };
|
|||
|
||||
# Do not allow priv_app access to cgroups.
|
||||
neverallow priv_app cgroup:file *;
|
||||
neverallow priv_app cgroup_v2:file *;
|
||||
|
||||
# Do not allow loading executable code from non-privileged
|
||||
# application home directories. Code loading across a security boundary
|
||||
|
|
|
|||
|
|
@ -100,6 +100,7 @@ allow surfaceflinger inputflinger_service:service_manager find;
|
|||
allow surfaceflinger self:global_capability_class_set sys_nice;
|
||||
allow surfaceflinger proc_meminfo:file r_file_perms;
|
||||
r_dir_file(surfaceflinger, cgroup)
|
||||
r_dir_file(surfaceflinger, cgroup_v2)
|
||||
r_dir_file(surfaceflinger, system_file)
|
||||
allow surfaceflinger tmpfs:dir r_dir_perms;
|
||||
allow surfaceflinger system_server:fd use;
|
||||
|
|
|
|||
|
|
@ -158,6 +158,7 @@ allow system_app {
|
|||
|
||||
# Settings app writes to /dev/stune/foreground/tasks.
|
||||
allow system_app cgroup:file w_file_perms;
|
||||
allow system_app cgroup_v2:file w_file_perms;
|
||||
|
||||
control_logd(system_app)
|
||||
read_runtime_log_tags(system_app)
|
||||
|
|
|
|||
|
|
@ -889,6 +889,7 @@ allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISC
|
|||
|
||||
# Clean up old cgroups
|
||||
allow system_server cgroup:dir { remove_name rmdir };
|
||||
allow system_server cgroup_v2:dir { remove_name rmdir };
|
||||
|
||||
# /oem access
|
||||
r_dir_file(system_server, oemfs)
|
||||
|
|
@ -967,9 +968,8 @@ allow system_server preloads_media_file:file { r_file_perms unlink };
|
|||
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
|
||||
|
||||
r_dir_file(system_server, cgroup)
|
||||
r_dir_file(system_server, cgroup_v2)
|
||||
allow system_server ion_device:chr_file r_file_perms;
|
||||
allow system_server cgroup_v2:dir rw_dir_perms;
|
||||
allow system_server cgroup_v2:file rw_file_perms;
|
||||
|
||||
# Access to /dev/dma_heap/system
|
||||
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -108,6 +108,8 @@ r_dir_file(zygote, vendor_overlay_file)
|
|||
# Control cgroups.
|
||||
allow zygote cgroup:dir create_dir_perms;
|
||||
allow zygote cgroup:{ file lnk_file } r_file_perms;
|
||||
allow zygote cgroup_v2:dir create_dir_perms;
|
||||
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
|
||||
allow zygote self:global_capability_class_set sys_admin;
|
||||
|
||||
# Allow zygote to stat the files that it opens. The zygote must
|
||||
|
|
@ -190,7 +192,10 @@ get_prop(zygote, device_config_runtime_native_boot_prop)
|
|||
get_prop(zygote, device_config_window_manager_native_boot_prop)
|
||||
|
||||
# ingore spurious denials
|
||||
dontaudit zygote self:global_capability_class_set sys_resource;
|
||||
# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
|
||||
# done to determine if the file should inherit setgid. In this case, setgid on the file is
|
||||
# undesirable, so suppress the denial.
|
||||
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
|
||||
|
||||
# Ignore spurious denials calling access() on fuse
|
||||
# TODO(b/151316657): avoid the denials
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ allow charger kmsg_device:chr_file rw_file_perms;
|
|||
# Read access to pseudo filesystems.
|
||||
r_dir_file(charger, rootfs)
|
||||
r_dir_file(charger, cgroup)
|
||||
r_dir_file(charger, cgroup_v2)
|
||||
|
||||
# Allow to read /sys/class/power_supply directory
|
||||
allow charger sysfs_type:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -14,3 +14,4 @@ allow credstore sec_key_att_app_id_provider_service:service_manager find;
|
|||
allow credstore dropbox_service:service_manager find;
|
||||
|
||||
r_dir_file(credstore, cgroup)
|
||||
r_dir_file(credstore, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ type dhcp_exec, system_file_type, exec_type, file_type;
|
|||
net_domain(dhcp)
|
||||
|
||||
allow dhcp cgroup:dir { create write add_name };
|
||||
allow dhcp cgroup_v2:dir { create write add_name };
|
||||
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
|
||||
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
|
||||
allow dhcp self:netlink_route_socket nlmsg_write;
|
||||
|
|
|
|||
|
|
@ -1322,10 +1322,12 @@ neverallow domain {
|
|||
|
||||
# cgroupfs directories can be created, but not files within them.
|
||||
neverallow domain cgroup:file create;
|
||||
neverallow domain cgroup_v2:file create;
|
||||
|
||||
dontaudit domain proc_type:dir write;
|
||||
dontaudit domain sysfs_type:dir write;
|
||||
dontaudit domain cgroup:file create;
|
||||
dontaudit domain cgroup_v2:file create;
|
||||
|
||||
# These are only needed in permissive mode - in enforcing mode the
|
||||
# directory write check fails and so these are never attempted.
|
||||
|
|
|
|||
|
|
@ -61,4 +61,5 @@ allow drmserver mediametrics_service:service_manager find;
|
|||
selinux_check_access(drmserver)
|
||||
|
||||
r_dir_file(drmserver, cgroup)
|
||||
r_dir_file(drmserver, cgroup_v2)
|
||||
r_dir_file(drmserver, system_file)
|
||||
|
|
|
|||
|
|
@ -134,6 +134,7 @@ allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
|
|||
|
||||
# Read /dev/cpuctl and /dev/cpuset
|
||||
r_dir_file(dumpstate, cgroup)
|
||||
r_dir_file(dumpstate, cgroup_v2)
|
||||
|
||||
# Allow dumpstate to make binder calls to any binder service
|
||||
binder_call(dumpstate, binderservicedomain)
|
||||
|
|
|
|||
|
|
@ -39,3 +39,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
|
|||
allow gatekeeperd hardware_properties_service:service_manager find;
|
||||
|
||||
r_dir_file(gatekeeperd, cgroup)
|
||||
r_dir_file(gatekeeperd, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -16,6 +16,10 @@ r_dir_file(hal_cas, cgroup)
|
|||
allow hal_cas cgroup:dir { search write };
|
||||
allow hal_cas cgroup:file w_file_perms;
|
||||
|
||||
r_dir_file(hal_cas, cgroup_v2)
|
||||
allow hal_cas cgroup_v2:dir { search write };
|
||||
allow hal_cas cgroup_v2:file w_file_perms;
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow hal_cas ion_device:chr_file rw_file_perms;
|
||||
allow hal_cas hal_graphics_allocator:fd use;
|
||||
|
|
|
|||
|
|
@ -20,6 +20,10 @@ r_dir_file(hal_drm, cgroup)
|
|||
allow hal_drm cgroup:dir { search write };
|
||||
allow hal_drm cgroup:file w_file_perms;
|
||||
|
||||
r_dir_file(hal_drm, cgroup_v2)
|
||||
allow hal_drm cgroup_v2:dir { search write };
|
||||
allow hal_drm cgroup_v2:file w_file_perms;
|
||||
|
||||
# Allow access to ion memory allocation device
|
||||
allow hal_drm ion_device:chr_file rw_file_perms;
|
||||
allow hal_drm hal_graphics_allocator:fd use;
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
|
|||
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
|
||||
|
||||
r_dir_file(hal_fingerprint, cgroup)
|
||||
r_dir_file(hal_fingerprint, cgroup_v2)
|
||||
r_dir_file(hal_fingerprint, sysfs)
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,8 @@ allow hal_telephony_server kernel:system module_request;
|
|||
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
|
||||
allow hal_telephony_server cgroup:dir create_dir_perms;
|
||||
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
|
||||
allow hal_telephony_server cgroup_v2:dir create_dir_perms;
|
||||
allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
|
||||
allow hal_telephony_server radio_device:chr_file rw_file_perms;
|
||||
allow hal_telephony_server radio_device:blk_file r_file_perms;
|
||||
allow hal_telephony_server efs_file:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ r_dir_file(hal_wifi_supplicant, proc_net_type)
|
|||
allow hal_wifi_supplicant kernel:system module_request;
|
||||
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
|
||||
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
|
||||
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
|
||||
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
|
||||
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ allow healthd sysfs_type:dir search;
|
|||
allow healthd sysfs:dir r_dir_perms;
|
||||
r_dir_file(healthd, rootfs)
|
||||
r_dir_file(healthd, cgroup)
|
||||
r_dir_file(healthd, cgroup_v2)
|
||||
|
||||
allow healthd self:global_capability_class_set { sys_tty_config };
|
||||
allow healthd self:global_capability_class_set sys_boot;
|
||||
|
|
|
|||
|
|
@ -103,7 +103,6 @@ allow init {
|
|||
postinstall_mnt_dir
|
||||
mirror_data_file
|
||||
}:dir mounton;
|
||||
allow init cgroup_v2:dir { mounton create_dir_perms };
|
||||
|
||||
# Mount bpf fs on sys/fs/bpf
|
||||
allow init fs_bpf:dir mounton;
|
||||
|
|
@ -132,6 +131,8 @@ allow init cgroup_rc_file:file rw_file_perms;
|
|||
allow init cgroup_desc_file:file r_file_perms;
|
||||
allow init cgroup_desc_api_file:file r_file_perms;
|
||||
allow init vendor_cgroup_desc_file:file r_file_perms;
|
||||
allow init cgroup_v2:dir { mounton create_dir_perms};
|
||||
allow init cgroup_v2:file rw_file_perms;
|
||||
|
||||
# /config
|
||||
allow init configfs:dir mounton;
|
||||
|
|
|
|||
|
|
@ -13,3 +13,4 @@ allow inputflinger input_device:dir r_dir_perms;
|
|||
allow inputflinger input_device:chr_file rw_file_perms;
|
||||
|
||||
r_dir_file(inputflinger, cgroup)
|
||||
r_dir_file(inputflinger, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
|
|||
allow installd oemfs:dir r_dir_perms;
|
||||
allow installd oemfs:file r_file_perms;
|
||||
allow installd cgroup:dir create_dir_perms;
|
||||
allow installd cgroup_v2:dir create_dir_perms;
|
||||
allow installd mnt_expand_file:dir { search getattr };
|
||||
# Check validity of SELinux context before use.
|
||||
selinux_check_context(installd)
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ add_service(keystore, authorization_service)
|
|||
selinux_check_access(keystore)
|
||||
|
||||
r_dir_file(keystore, cgroup)
|
||||
r_dir_file(keystore, cgroup_v2)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
|
|||
|
|
@ -26,9 +26,11 @@ allow lmkd kernel:process { setsched };
|
|||
|
||||
# Clean up old cgroups
|
||||
allow lmkd cgroup:dir { remove_name rmdir };
|
||||
allow lmkd cgroup_v2:dir { remove_name rmdir };
|
||||
|
||||
# Allow to read memcg stats
|
||||
allow lmkd cgroup:file r_file_perms;
|
||||
allow lmkd cgroup_v2:file r_file_perms;
|
||||
|
||||
# Set self to SCHED_FIFO
|
||||
allow lmkd self:global_capability_class_set sys_nice;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,7 @@ type logd_exec, system_file_type, exec_type, file_type;
|
|||
|
||||
# Read access to pseudo filesystems.
|
||||
r_dir_file(logd, cgroup)
|
||||
r_dir_file(logd, cgroup_v2)
|
||||
r_dir_file(logd, proc_kmsg)
|
||||
r_dir_file(logd, proc_meminfo)
|
||||
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ hal_client_domain(mediaextractor, hal_cas)
|
|||
hal_client_domain(mediaextractor, hal_allocator)
|
||||
|
||||
r_dir_file(mediaextractor, cgroup)
|
||||
r_dir_file(mediaextractor, cgroup_v2)
|
||||
allow mediaextractor proc_meminfo:file r_file_perms;
|
||||
|
||||
crash_dump_fallback(mediaextractor)
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ add_service(mediametrics, mediametrics_service)
|
|||
allow mediametrics system_server:fd use;
|
||||
|
||||
r_dir_file(mediametrics, cgroup)
|
||||
r_dir_file(mediametrics, cgroup_v2)
|
||||
allow mediametrics proc_meminfo:file r_file_perms;
|
||||
|
||||
# allows interactions with dumpsys to GMScore
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ net_domain(mediaserver)
|
|||
|
||||
r_dir_file(mediaserver, sdcard_type)
|
||||
r_dir_file(mediaserver, cgroup)
|
||||
r_dir_file(mediaserver, cgroup_v2)
|
||||
|
||||
# stat /proc/self
|
||||
allow mediaserver proc:lnk_file getattr;
|
||||
|
|
|
|||
|
|
@ -28,3 +28,4 @@ userdebug_or_eng(`
|
|||
|
||||
# Access /dev/cpuset/cpuset.cpus
|
||||
r_dir_file(performanced, cgroup)
|
||||
r_dir_file(performanced, cgroup_v2)
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ binder_use(racoon)
|
|||
allow racoon tun_device:chr_file r_file_perms;
|
||||
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
|
||||
allow racoon cgroup:dir { add_name create };
|
||||
allow racoon cgroup_v2:dir { add_name create };
|
||||
allow racoon kernel:system module_request;
|
||||
|
||||
allow racoon self:key_socket create_socket_perms_no_ioctl;
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ type sdcardd, domain;
|
|||
type sdcardd_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
allow sdcardd cgroup:dir create_dir_perms;
|
||||
allow sdcardd cgroup_v2:dir create_dir_perms;
|
||||
allow sdcardd fuse_device:chr_file rw_file_perms;
|
||||
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
|
||||
allow sdcardd sdcardfs:filesystem remount;
|
||||
|
|
|
|||
|
|
@ -126,6 +126,7 @@ r_dir_file(shell, cgroup)
|
|||
allow shell cgroup_desc_file:file r_file_perms;
|
||||
allow shell cgroup_desc_api_file:file r_file_perms;
|
||||
allow shell vendor_cgroup_desc_file:file r_file_perms;
|
||||
r_dir_file(shell, cgroup_v2)
|
||||
allow shell domain:dir { search open read getattr };
|
||||
allow shell domain:{ file lnk_file } { open read getattr };
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ allow vendor_init rootfs:lnk_file { create unlink };
|
|||
# Create cgroups mount points in tmpfs and mount cgroups on them.
|
||||
allow vendor_init cgroup:dir create_dir_perms;
|
||||
allow vendor_init cgroup:file w_file_perms;
|
||||
allow vendor_init cgroup_v2:dir create_dir_perms;
|
||||
allow vendor_init cgroup_v2:file w_file_perms;
|
||||
|
||||
# /config
|
||||
allow vendor_init configfs:dir mounton;
|
||||
|
|
|
|||
Loading…
Reference in a new issue