Merge "sepolicy: rules for uid/pid cgroups v2 hierarchy"

This commit is contained in:
Treehugger Robot 2020-12-02 19:50:11 +00:00 committed by Gerrit Code Review
commit b18b39486f
35 changed files with 55 additions and 4 deletions

View file

@ -228,6 +228,7 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.

View file

@ -54,6 +54,10 @@ allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
allow domain cgroup_v2:dir search;
allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;

View file

@ -4,6 +4,7 @@ typeattribute logpersist coredomain;
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;

View file

@ -213,6 +213,7 @@ neverallow priv_app trace_data_file:file { no_w_file_perms open };
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary

View file

@ -100,6 +100,7 @@ allow surfaceflinger inputflinger_service:service_manager find;
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;

View file

@ -152,6 +152,7 @@ allow system_app {
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)

View file

@ -841,6 +841,7 @@ allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISC
# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
allow system_server cgroup_v2:dir { remove_name rmdir };
# /oem access
r_dir_file(system_server, oemfs)
@ -919,9 +920,8 @@ allow system_server preloads_media_file:file { r_file_perms unlink };
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
allow system_server cgroup_v2:dir rw_dir_perms;
allow system_server cgroup_v2:file rw_file_perms;
# Access to /dev/dma_heap/system
allow system_server dmabuf_system_heap_device:chr_file r_file_perms;

View file

@ -101,6 +101,8 @@ r_dir_file(zygote, vendor_overlay_file)
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
allow zygote cgroup_v2:dir create_dir_perms;
allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@ -183,7 +185,10 @@ get_prop(zygote, device_config_runtime_native_boot_prop)
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
dontaudit zygote self:global_capability_class_set sys_resource;
# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
# done to determine if the file should inherit setgid. In this case, setgid on the file is
# undesirable, so suppress the denial.
dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials

View file

@ -7,6 +7,7 @@ allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;

View file

@ -14,3 +14,4 @@ allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
r_dir_file(credstore, cgroup)
r_dir_file(credstore, cgroup_v2)

View file

@ -4,6 +4,7 @@ type dhcp_exec, system_file_type, exec_type, file_type;
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;

View file

@ -1331,10 +1331,12 @@ neverallow domain {
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.

View file

@ -59,4 +59,5 @@ allow drmserver mediametrics_service:service_manager find;
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)

View file

@ -134,6 +134,7 @@ allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)

View file

@ -37,3 +37,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms;
allow gatekeeperd hardware_properties_service:service_manager find;
r_dir_file(gatekeeperd, cgroup)
r_dir_file(gatekeeperd, cgroup_v2)

View file

@ -16,6 +16,10 @@ r_dir_file(hal_cas, cgroup)
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
r_dir_file(hal_cas, cgroup_v2)
allow hal_cas cgroup_v2:dir { search write };
allow hal_cas cgroup_v2:file w_file_perms;
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;

View file

@ -20,6 +20,10 @@ r_dir_file(hal_drm, cgroup)
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
r_dir_file(hal_drm, cgroup_v2)
allow hal_drm cgroup_v2:dir { search write };
allow hal_drm cgroup_v2:file w_file_perms;
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;

View file

@ -14,6 +14,7 @@ allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)

View file

@ -11,6 +11,8 @@ allow hal_telephony_server kernel:system module_request;
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
allow hal_telephony_server cgroup_v2:dir create_dir_perms;
allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;

View file

@ -13,6 +13,7 @@ r_dir_file(hal_wifi_supplicant, proc_net_type)
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;

View file

@ -11,6 +11,7 @@ allow healthd sysfs_type:dir search;
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;

View file

@ -96,7 +96,6 @@ allow init {
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
allow init cgroup_v2:dir { mounton create_dir_perms };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@ -125,6 +124,8 @@ allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
allow init cgroup_v2:dir { mounton create_dir_perms};
allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;

View file

@ -13,3 +13,4 @@ allow inputflinger input_device:dir r_dir_perms;
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
r_dir_file(inputflinger, cgroup_v2)

View file

@ -26,6 +26,7 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)

View file

@ -20,6 +20,7 @@ allow keystore dropbox_service:service_manager find;
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules

View file

@ -26,9 +26,11 @@ allow lmkd kernel:process { setsched };
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;

View file

@ -4,6 +4,7 @@ type logd_exec, system_file_type, exec_type, file_type;
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)

View file

@ -20,6 +20,7 @@ hal_client_domain(mediaextractor, hal_cas)
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)

View file

@ -12,6 +12,7 @@ add_service(mediametrics, mediametrics_service)
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore

View file

@ -9,6 +9,7 @@ net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;

View file

@ -28,3 +28,4 @@ userdebug_or_eng(`
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
r_dir_file(performanced, cgroup_v2)

View file

@ -12,6 +12,7 @@ binder_use(racoon)
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;

View file

@ -2,6 +2,7 @@ type sdcardd, domain;
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;

View file

@ -125,6 +125,7 @@ r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };

View file

@ -16,6 +16,8 @@ allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
allow vendor_init cgroup_v2:dir create_dir_perms;
allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;