Add SELinux lockdown policy
The lockdown hook defines 2 modes: integrity and confidentiality [1]. The integrity mode ensures that the kernel integrity cannot be corrupted by directly modifying memory (i.e. using /dev/mem), accessing PCI devices, interacting with debugfs, etc. While some of these methods overlap with the current policy definition, there is value in enforcing this mode for Android to ensure that no permission has been overly granted. Some of these detection methods use arbitrary heuristic to characterize the access [2]. Adapt part of the policy to match this constraint. The confidentiality mode further restricts the use of other kernel facilities such as tracefs. Android already defines a fine-grained policy for these. Furthermore, access to part of tracefs is required in all domains (see debugfs_trace_marker). Allow any access related to this mode. [1] https://lore.kernel.org/linux-api/20190820001805.241928-4-matthewgarrett@google.com/ [2] https://lore.kernel.org/linux-api/20190820001805.241928-27-matthewgarrett@google.com/ Bug: 148822198 Test: boot cuttlefish with patched kernel; check logcat for denials. Test: run simpleperf monitor to exercise tracefs; check logcat for denials. Change-Id: Ib826a0c153771a61aae963678394b75faa6ca1fe
This commit is contained in:
Thiébaud Weksteen
parent
01cce002bf
commit
bcfca1a686
2 changed files with 14 additions and 0 deletions
|
|
@ -170,6 +170,9 @@ create_pty(untrusted_app_all)
|
|||
userdebug_or_eng(`
|
||||
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
|
||||
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
|
||||
# The use of debugfs kcov is considered a breach of the kernel integrity
|
||||
# according to the heuristic of lockdown.
|
||||
allow untrusted_app_all self:lockdown integrity;
|
||||
')
|
||||
|
||||
# Allow signalling simpleperf domain, which is the domain that the simpleperf
|
||||
|
|
|
|||
|
|
@ -274,6 +274,14 @@ allow domain debugfs_tracing:dir search;
|
|||
allow domain debugfs_tracing_debug:dir search;
|
||||
allow domain debugfs_trace_marker:file w_file_perms;
|
||||
|
||||
# Linux lockdown mode offers coarse-grained definitions for access controls.
|
||||
# The "confidentiality" level detects access to tracefs or the perf subsystem.
|
||||
# This overlaps with more precise declarations in Android's policy. The
|
||||
# debugfs_trace_marker above is an example in which all processes should have
|
||||
# some access to tracefs. Therefore, allow all domains to access this level.
|
||||
# The "integrity" level is however enforced.
|
||||
allow domain self:lockdown confidentiality;
|
||||
|
||||
# Filesystem access.
|
||||
allow domain fs_type:filesystem getattr;
|
||||
allow domain fs_type:dir getattr;
|
||||
|
|
@ -1393,3 +1401,6 @@ neverallow {
|
|||
} ashmem_device:chr_file open;
|
||||
|
||||
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
|
||||
|
||||
# Linux lockdown "integrity" level is enforced for user builds.
|
||||
neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
|
||||
|
|
|
|||
Loading…
Reference in a new issue