Merge "Add SELinux Policy For io_uring" am: fab49d0a64

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2302679 Change-Id: I65aad86e82542723e96a7e24e16a597e91d7aa6c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-01-30 15:14:42 +00:00 · 2023-01-30 15:14:42 +00:00 · bc0f54877a
commit bc0f54877a
parent 13909cdb3f fab49d0a64
6 changed files with 41 additions and 10 deletions
--- a/private/access_vectors
+++ b/private/access_vectors
@ -789,3 +789,10 @@ class lockdown
 	integrity
 	confidentiality
 }
+
+class io_uring
+{
+	override_creds
+	sqpoll
+	cmd
+}
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -266,7 +266,6 @@ neverallow {
  -mediaprovider_app
 } { userdebug_or_eng_prop }:file read;

-
 # Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
 # used to communicate to the mdnsd responder. The mdnsd responder will be
 # replaced by a java implementation which is integrated into the system server.
@ -288,3 +287,9 @@ neverallow {
  -untrusted_app_30
  -untrusted_app_32
 } mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@ -50,7 +50,7 @@ recovery_only(`
  hal_client_domain(fastbootd, hal_fastboot)
 ')

-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
 allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)
--- a/private/security_classes
+++ b/private/security_classes
@ -142,6 +142,8 @@ class xdp_socket

 class perf_event

+class io_uring
+
 # Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
 class lockdown

--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@ -8,8 +8,6 @@ init_daemon_domain(snapuserd)

 allow snapuserd kmsg_device:chr_file rw_file_perms;

-allow snapuserd self:capability ipc_lock;
-
 # Allow snapuserd to reach block devices in /dev/block.
 allow snapuserd block_device:dir search;

@ -54,9 +52,12 @@ neverallow {
  -init
 } snapuserd_prop:property_service set;

-allow snapuserd self:anon_inode create_file_perms;
-
 # Allow to read/write/create OTA metadata files
 allow snapuserd metadata_file:dir search;
 allow snapuserd ota_metadata_file:dir rw_dir_perms;
 allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
--- a/public/te_macros
+++ b/public/te_macros
@ -176,8 +176,6 @@ allow $1 $1_userfaultfd:anon_inode { create ioctl read };
 dontaudit su $1_userfaultfd:anon_inode *;
 # Other domains may not use userfaultfd anon_inodes created by this domain.
 neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
 ')

 ####################################
@ -1043,3 +1041,21 @@ define(`use_apex_info', `
  allow $1 apex_mnt_dir:dir r_dir_perms;
  allow $1 apex_info_file:file r_file_perms;
 ')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')