Merge "Add SELinux policy for using userfaultfd"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
baf84ee461
10 changed files with 39 additions and 0 deletions
|
|
@ -182,6 +182,9 @@ inherits file
|
|||
entrypoint
|
||||
}
|
||||
|
||||
class anon_inode
|
||||
inherits file
|
||||
|
||||
class lnk_file
|
||||
inherits file
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
type dex2oat, domain, coredomain;
|
||||
type dex2oat_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
userfaultfd_use(dex2oat)
|
||||
|
||||
r_dir_file(dex2oat, apk_data_file)
|
||||
# Access to /vendor/app
|
||||
r_dir_file(dex2oat, vendor_app_file)
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ r_dir_file(dexoptanalyzer, vendor_app_file)
|
|||
# processes.
|
||||
tmpfs_domain(dexoptanalyzer)
|
||||
|
||||
userfaultfd_use(dexoptanalyzer)
|
||||
|
||||
# Allow dexoptanalyzer to read files in the dalvik cache.
|
||||
allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
|
||||
allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -47,6 +47,13 @@ mlsconstrain unix_stream_socket { connectto }
|
|||
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
|
||||
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
|
||||
|
||||
#
|
||||
# Userfaultfd constraints
|
||||
#
|
||||
# To enforce that anonymous inodes are self contained in the application's process.
|
||||
mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
|
||||
(l1 eq l2);
|
||||
|
||||
#
|
||||
# Constraints for app data files only.
|
||||
#
|
||||
|
|
|
|||
|
|
@ -7,6 +7,8 @@ allow odrefresh apex_module_data_file:dir { getattr search };
|
|||
allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
|
||||
allow odrefresh apex_art_data_file:file create_file_perms;
|
||||
|
||||
userfaultfd_use(odrefresh)
|
||||
|
||||
# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
|
||||
# sets up files here and passes file descriptors for dex2oat to write to.
|
||||
allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@ class capability
|
|||
# file-related classes
|
||||
class filesystem
|
||||
class file
|
||||
class anon_inode
|
||||
class dir
|
||||
class fd
|
||||
class lnk_file
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ typeattribute system_server stats_service_server;
|
|||
# Define a type for tmpfs-backed ashmem regions.
|
||||
tmpfs_domain(system_server)
|
||||
|
||||
userfaultfd_use(system_server)
|
||||
|
||||
# Create a socket for connections from crash_dump.
|
||||
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,8 @@ typeattribute webview_zygote mlstrustedsubject;
|
|||
# a domain macro.
|
||||
tmpfs_domain(webview_zygote);
|
||||
|
||||
userfaultfd_use(webview_zygote)
|
||||
|
||||
# Allow reading/executing installed binaries to enable preloading the
|
||||
# installed WebView implementation.
|
||||
allow webview_zygote apk_data_file:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -24,6 +24,8 @@ allow zygote app_zygote:process dyntransition;
|
|||
allow zygote appdomain:dir { getattr search };
|
||||
allow zygote appdomain:file { r_file_perms };
|
||||
|
||||
userfaultfd_use(zygote)
|
||||
|
||||
# Move children into the peer process group.
|
||||
allow zygote system_server:process { getpgid setpgid };
|
||||
allow zygote appdomain:process { getpgid setpgid };
|
||||
|
|
|
|||
|
|
@ -163,6 +163,21 @@ define(`init_daemon_domain', `
|
|||
domain_auto_trans(init, $1_exec, $1)
|
||||
')
|
||||
|
||||
####################################
|
||||
# userfaultfd_use(domain)
|
||||
# Allow domain to create/use userfaultfd.
|
||||
define(`userfaultfd_use', `
|
||||
# Set up a type_transition to "userfaultfd" named anonymous inode object.
|
||||
type $1_userfaultfd;
|
||||
type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
|
||||
# Allow domain to create/use userfaultfd anon_inode.
|
||||
allow $1 $1_userfaultfd:anon_inode { create ioctl read };
|
||||
# Other domains may not use userfaultfd anon_inodes created by this domain.
|
||||
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
|
||||
# This domain may not use userfaultfd anon_inodes created by other domains.
|
||||
neverallow $1 ~$1_userfaultfd:anon_inode *;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# app_domain(domain)
|
||||
# Allow a base set of permissions required for all apps.
|
||||
|
|
@ -170,6 +185,7 @@ define(`app_domain', `
|
|||
typeattribute $1 appdomain;
|
||||
# Label tmpfs objects for all apps.
|
||||
type_transition $1 tmpfs:file appdomain_tmpfs;
|
||||
userfaultfd_use($1)
|
||||
allow $1 appdomain_tmpfs:file { execute getattr map read write };
|
||||
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
|
||||
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue