From aa4ce95c6f601c5fa901a12d9f366440bf56c7e2 Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Thu, 11 Feb 2021 15:18:11 -0800 Subject: [PATCH 1/2] sepolicy: rules for uid/pid cgroups v2 hierarchy Bug: 168907513 Test: verified the correct working of the v2 uid/pid hierarchy in normal and recovery modes This reverts commit aa8bb3a29b92a342c42c802edac269da5984d1df. Change-Id: Ib344d500ea49b86e862e223ab58a16601eebef47 --- private/app_neverallows.te | 1 + private/domain.te | 4 ++++ private/logpersist.te | 1 + private/priv_app.te | 1 + private/surfaceflinger.te | 1 + private/system_app.te | 1 + private/system_server.te | 4 ++-- private/zygote.te | 7 ++++++- public/charger.te | 1 + public/credstore.te | 1 + public/dhcp.te | 1 + public/domain.te | 2 ++ public/drmserver.te | 1 + public/dumpstate.te | 1 + public/gatekeeperd.te | 1 + public/hal_cas.te | 4 ++++ public/hal_drm.te | 4 ++++ public/hal_fingerprint.te | 1 + public/hal_telephony.te | 2 ++ public/hal_wifi_supplicant.te | 1 + public/healthd.te | 1 + public/init.te | 3 ++- public/inputflinger.te | 1 + public/installd.te | 1 + public/keystore.te | 1 + public/lmkd.te | 2 ++ public/logd.te | 1 + public/mediaextractor.te | 1 + public/mediametrics.te | 1 + public/mediaserver.te | 1 + public/performanced.te | 1 + public/racoon.te | 1 + public/sdcardd.te | 1 + public/shell.te | 1 + public/vendor_init.te | 2 ++ 35 files changed, 55 insertions(+), 4 deletions(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index cf0fa6701..aff3a0a44 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -228,6 +228,7 @@ neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms; # Untrusted apps are not allowed to use cgroups. neverallow all_untrusted_apps cgroup:file *; +neverallow all_untrusted_apps cgroup_v2:file *; # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps # must not use it. diff --git a/private/domain.te b/private/domain.te index 57e93e401..94bd05936 100644 --- a/private/domain.te +++ b/private/domain.te @@ -54,6 +54,10 @@ allow domain cgroup:dir search; allow { domain -appdomain -rs } cgroup:dir w_dir_perms; allow { domain -appdomain -rs } cgroup:file w_file_perms; +allow domain cgroup_v2:dir search; +allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms; +allow { domain -appdomain -rs } cgroup_v2:file w_file_perms; + allow domain cgroup_rc_file:dir search; allow domain cgroup_rc_file:file r_file_perms; allow domain task_profiles_file:file r_file_perms; diff --git a/private/logpersist.te b/private/logpersist.te index ac324df88..ab2c9c63f 100644 --- a/private/logpersist.te +++ b/private/logpersist.te @@ -4,6 +4,7 @@ typeattribute logpersist coredomain; userdebug_or_eng(` r_dir_file(logpersist, cgroup) + r_dir_file(logpersist, cgroup_v2) allow logpersist misc_logd_file:file create_file_perms; allow logpersist misc_logd_file:dir rw_dir_perms; diff --git a/private/priv_app.te b/private/priv_app.te index 6e85b4285..e5889d16b 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -240,6 +240,7 @@ neverallow priv_app trace_data_file:file { no_w_file_perms open }; # Do not allow priv_app access to cgroups. neverallow priv_app cgroup:file *; +neverallow priv_app cgroup_v2:file *; # Do not allow loading executable code from non-privileged # application home directories. Code loading across a security boundary diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 37601b94b..8549bd54c 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -100,6 +100,7 @@ allow surfaceflinger inputflinger_service:service_manager find; allow surfaceflinger self:global_capability_class_set sys_nice; allow surfaceflinger proc_meminfo:file r_file_perms; r_dir_file(surfaceflinger, cgroup) +r_dir_file(surfaceflinger, cgroup_v2) r_dir_file(surfaceflinger, system_file) allow surfaceflinger tmpfs:dir r_dir_perms; allow surfaceflinger system_server:fd use; diff --git a/private/system_app.te b/private/system_app.te index 0aa46e3ec..36208bf2b 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -158,6 +158,7 @@ allow system_app { # Settings app writes to /dev/stune/foreground/tasks. allow system_app cgroup:file w_file_perms; +allow system_app cgroup_v2:file w_file_perms; control_logd(system_app) read_runtime_log_tags(system_app) diff --git a/private/system_server.te b/private/system_server.te index e1919e201..1db70820c 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -889,6 +889,7 @@ allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISC # Clean up old cgroups allow system_server cgroup:dir { remove_name rmdir }; +allow system_server cgroup_v2:dir { remove_name rmdir }; # /oem access r_dir_file(system_server, oemfs) @@ -967,9 +968,8 @@ allow system_server preloads_media_file:file { r_file_perms unlink }; allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir }; r_dir_file(system_server, cgroup) +r_dir_file(system_server, cgroup_v2) allow system_server ion_device:chr_file r_file_perms; -allow system_server cgroup_v2:dir rw_dir_perms; -allow system_server cgroup_v2:file rw_file_perms; # Access to /dev/dma_heap/system allow system_server dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/private/zygote.te b/private/zygote.te index 23fed52ef..1a3bcc6f8 100644 --- a/private/zygote.te +++ b/private/zygote.te @@ -108,6 +108,8 @@ r_dir_file(zygote, vendor_overlay_file) # Control cgroups. allow zygote cgroup:dir create_dir_perms; allow zygote cgroup:{ file lnk_file } r_file_perms; +allow zygote cgroup_v2:dir create_dir_perms; +allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr }; allow zygote self:global_capability_class_set sys_admin; # Allow zygote to stat the files that it opens. The zygote must @@ -190,7 +192,10 @@ get_prop(zygote, device_config_runtime_native_boot_prop) get_prop(zygote, device_config_window_manager_native_boot_prop) # ingore spurious denials -dontaudit zygote self:global_capability_class_set sys_resource; +# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is +# done to determine if the file should inherit setgid. In this case, setgid on the file is +# undesirable, so suppress the denial. +dontaudit zygote self:global_capability_class_set { sys_resource fsetid }; # Ignore spurious denials calling access() on fuse # TODO(b/151316657): avoid the denials diff --git a/public/charger.te b/public/charger.te index f57853a90..37359e3bf 100644 --- a/public/charger.te +++ b/public/charger.te @@ -7,6 +7,7 @@ allow charger kmsg_device:chr_file rw_file_perms; # Read access to pseudo filesystems. r_dir_file(charger, rootfs) r_dir_file(charger, cgroup) +r_dir_file(charger, cgroup_v2) # Allow to read /sys/class/power_supply directory allow charger sysfs_type:dir r_dir_perms; diff --git a/public/credstore.te b/public/credstore.te index db16a8dcb..a2376d2b5 100644 --- a/public/credstore.te +++ b/public/credstore.te @@ -14,3 +14,4 @@ allow credstore sec_key_att_app_id_provider_service:service_manager find; allow credstore dropbox_service:service_manager find; r_dir_file(credstore, cgroup) +r_dir_file(credstore, cgroup_v2) diff --git a/public/dhcp.te b/public/dhcp.te index 67fd0389e..1d875ab17 100644 --- a/public/dhcp.te +++ b/public/dhcp.te @@ -4,6 +4,7 @@ type dhcp_exec, system_file_type, exec_type, file_type; net_domain(dhcp) allow dhcp cgroup:dir { create write add_name }; +allow dhcp cgroup_v2:dir { create write add_name }; allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service }; allow dhcp self:packet_socket create_socket_perms_no_ioctl; allow dhcp self:netlink_route_socket nlmsg_write; diff --git a/public/domain.te b/public/domain.te index aaac8f081..6b29595fc 100644 --- a/public/domain.te +++ b/public/domain.te @@ -1322,10 +1322,12 @@ neverallow domain { # cgroupfs directories can be created, but not files within them. neverallow domain cgroup:file create; +neverallow domain cgroup_v2:file create; dontaudit domain proc_type:dir write; dontaudit domain sysfs_type:dir write; dontaudit domain cgroup:file create; +dontaudit domain cgroup_v2:file create; # These are only needed in permissive mode - in enforcing mode the # directory write check fails and so these are never attempted. diff --git a/public/drmserver.te b/public/drmserver.te index a24ad41ba..eede0fce2 100644 --- a/public/drmserver.te +++ b/public/drmserver.te @@ -61,4 +61,5 @@ allow drmserver mediametrics_service:service_manager find; selinux_check_access(drmserver) r_dir_file(drmserver, cgroup) +r_dir_file(drmserver, cgroup_v2) r_dir_file(drmserver, system_file) diff --git a/public/dumpstate.te b/public/dumpstate.te index 2c5086f77..45540b33a 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -134,6 +134,7 @@ allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; # Read /dev/cpuctl and /dev/cpuset r_dir_file(dumpstate, cgroup) +r_dir_file(dumpstate, cgroup_v2) # Allow dumpstate to make binder calls to any binder service binder_call(dumpstate, binderservicedomain) diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te index 7295c2418..d48c5f82d 100644 --- a/public/gatekeeperd.te +++ b/public/gatekeeperd.te @@ -39,3 +39,4 @@ allow gatekeeperd gatekeeper_data_file:file create_file_perms; allow gatekeeperd hardware_properties_service:service_manager find; r_dir_file(gatekeeperd, cgroup) +r_dir_file(gatekeeperd, cgroup_v2) diff --git a/public/hal_cas.te b/public/hal_cas.te index 7de6a1353..e699a6bac 100644 --- a/public/hal_cas.te +++ b/public/hal_cas.te @@ -16,6 +16,10 @@ r_dir_file(hal_cas, cgroup) allow hal_cas cgroup:dir { search write }; allow hal_cas cgroup:file w_file_perms; +r_dir_file(hal_cas, cgroup_v2) +allow hal_cas cgroup_v2:dir { search write }; +allow hal_cas cgroup_v2:file w_file_perms; + # Allow access to ion memory allocation device allow hal_cas ion_device:chr_file rw_file_perms; allow hal_cas hal_graphics_allocator:fd use; diff --git a/public/hal_drm.te b/public/hal_drm.te index 598749134..bb1bd91e6 100644 --- a/public/hal_drm.te +++ b/public/hal_drm.te @@ -20,6 +20,10 @@ r_dir_file(hal_drm, cgroup) allow hal_drm cgroup:dir { search write }; allow hal_drm cgroup:file w_file_perms; +r_dir_file(hal_drm, cgroup_v2) +allow hal_drm cgroup_v2:dir { search write }; +allow hal_drm cgroup_v2:file w_file_perms; + # Allow access to ion memory allocation device allow hal_drm ion_device:chr_file rw_file_perms; allow hal_drm hal_graphics_allocator:fd use; diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te index 99b60654f..444cfdad0 100644 --- a/public/hal_fingerprint.te +++ b/public/hal_fingerprint.te @@ -14,6 +14,7 @@ allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms }; allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms; r_dir_file(hal_fingerprint, cgroup) +r_dir_file(hal_fingerprint, cgroup_v2) r_dir_file(hal_fingerprint, sysfs) diff --git a/public/hal_telephony.te b/public/hal_telephony.te index 4cb0c5aba..f0cf075c8 100644 --- a/public/hal_telephony.te +++ b/public/hal_telephony.te @@ -11,6 +11,8 @@ allow hal_telephony_server kernel:system module_request; allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw }; allow hal_telephony_server cgroup:dir create_dir_perms; allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms; +allow hal_telephony_server cgroup_v2:dir create_dir_perms; +allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms; allow hal_telephony_server radio_device:chr_file rw_file_perms; allow hal_telephony_server radio_device:blk_file r_file_perms; allow hal_telephony_server efs_file:dir create_dir_perms; diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te index 5fbe9f214..e19ad1c29 100644 --- a/public/hal_wifi_supplicant.te +++ b/public/hal_wifi_supplicant.te @@ -13,6 +13,7 @@ r_dir_file(hal_wifi_supplicant, proc_net_type) allow hal_wifi_supplicant kernel:system module_request; allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw }; allow hal_wifi_supplicant cgroup:dir create_dir_perms; +allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms; allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write; allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl; allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/public/healthd.te b/public/healthd.te index 867384640..05acb84a0 100644 --- a/public/healthd.te +++ b/public/healthd.te @@ -11,6 +11,7 @@ allow healthd sysfs_type:dir search; allow healthd sysfs:dir r_dir_perms; r_dir_file(healthd, rootfs) r_dir_file(healthd, cgroup) +r_dir_file(healthd, cgroup_v2) allow healthd self:global_capability_class_set { sys_tty_config }; allow healthd self:global_capability_class_set sys_boot; diff --git a/public/init.te b/public/init.te index 59e6b4e5d..e546ecea3 100644 --- a/public/init.te +++ b/public/init.te @@ -103,7 +103,6 @@ allow init { postinstall_mnt_dir mirror_data_file }:dir mounton; -allow init cgroup_v2:dir { mounton create_dir_perms }; # Mount bpf fs on sys/fs/bpf allow init fs_bpf:dir mounton; @@ -132,6 +131,8 @@ allow init cgroup_rc_file:file rw_file_perms; allow init cgroup_desc_file:file r_file_perms; allow init cgroup_desc_api_file:file r_file_perms; allow init vendor_cgroup_desc_file:file r_file_perms; +allow init cgroup_v2:dir { mounton create_dir_perms}; +allow init cgroup_v2:file rw_file_perms; # /config allow init configfs:dir mounton; diff --git a/public/inputflinger.te b/public/inputflinger.te index c3f4da858..b62c06dbe 100644 --- a/public/inputflinger.te +++ b/public/inputflinger.te @@ -13,3 +13,4 @@ allow inputflinger input_device:dir r_dir_perms; allow inputflinger input_device:chr_file rw_file_perms; r_dir_file(inputflinger, cgroup) +r_dir_file(inputflinger, cgroup_v2) diff --git a/public/installd.te b/public/installd.te index b9c7b3e39..61c8bce9e 100644 --- a/public/installd.te +++ b/public/installd.te @@ -26,6 +26,7 @@ allow installd apk_tmp_file:dir { relabelfrom create_dir_perms }; allow installd oemfs:dir r_dir_perms; allow installd oemfs:file r_file_perms; allow installd cgroup:dir create_dir_perms; +allow installd cgroup_v2:dir create_dir_perms; allow installd mnt_expand_file:dir { search getattr }; # Check validity of SELinux context before use. selinux_check_context(installd) diff --git a/public/keystore.te b/public/keystore.te index b8c599c85..1c8d3bd80 100644 --- a/public/keystore.te +++ b/public/keystore.te @@ -24,6 +24,7 @@ add_service(keystore, authorization_service) selinux_check_access(keystore) r_dir_file(keystore, cgroup) +r_dir_file(keystore, cgroup_v2) ### ### Neverallow rules diff --git a/public/lmkd.te b/public/lmkd.te index c9f2e6413..de6052da8 100644 --- a/public/lmkd.te +++ b/public/lmkd.te @@ -26,9 +26,11 @@ allow lmkd kernel:process { setsched }; # Clean up old cgroups allow lmkd cgroup:dir { remove_name rmdir }; +allow lmkd cgroup_v2:dir { remove_name rmdir }; # Allow to read memcg stats allow lmkd cgroup:file r_file_perms; +allow lmkd cgroup_v2:file r_file_perms; # Set self to SCHED_FIFO allow lmkd self:global_capability_class_set sys_nice; diff --git a/public/logd.te b/public/logd.te index b0acb142b..81871798a 100644 --- a/public/logd.te +++ b/public/logd.te @@ -4,6 +4,7 @@ type logd_exec, system_file_type, exec_type, file_type; # Read access to pseudo filesystems. r_dir_file(logd, cgroup) +r_dir_file(logd, cgroup_v2) r_dir_file(logd, proc_kmsg) r_dir_file(logd, proc_meminfo) diff --git a/public/mediaextractor.te b/public/mediaextractor.te index 1f3403088..06f7928f1 100644 --- a/public/mediaextractor.te +++ b/public/mediaextractor.te @@ -20,6 +20,7 @@ hal_client_domain(mediaextractor, hal_cas) hal_client_domain(mediaextractor, hal_allocator) r_dir_file(mediaextractor, cgroup) +r_dir_file(mediaextractor, cgroup_v2) allow mediaextractor proc_meminfo:file r_file_perms; crash_dump_fallback(mediaextractor) diff --git a/public/mediametrics.te b/public/mediametrics.te index 0e56b07ec..468c0d02c 100644 --- a/public/mediametrics.te +++ b/public/mediametrics.te @@ -12,6 +12,7 @@ add_service(mediametrics, mediametrics_service) allow mediametrics system_server:fd use; r_dir_file(mediametrics, cgroup) +r_dir_file(mediametrics, cgroup_v2) allow mediametrics proc_meminfo:file r_file_perms; # allows interactions with dumpsys to GMScore diff --git a/public/mediaserver.te b/public/mediaserver.te index d32b9d9a7..388001d19 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -9,6 +9,7 @@ net_domain(mediaserver) r_dir_file(mediaserver, sdcard_type) r_dir_file(mediaserver, cgroup) +r_dir_file(mediaserver, cgroup_v2) # stat /proc/self allow mediaserver proc:lnk_file getattr; diff --git a/public/performanced.te b/public/performanced.te index 7dcb5ea1e..d694fda9d 100644 --- a/public/performanced.te +++ b/public/performanced.te @@ -28,3 +28,4 @@ userdebug_or_eng(` # Access /dev/cpuset/cpuset.cpus r_dir_file(performanced, cgroup) +r_dir_file(performanced, cgroup_v2) diff --git a/public/racoon.te b/public/racoon.te index 688874024..e4b299e98 100644 --- a/public/racoon.te +++ b/public/racoon.te @@ -12,6 +12,7 @@ binder_use(racoon) allow racoon tun_device:chr_file r_file_perms; allowxperm racoon tun_device:chr_file ioctl TUNSETIFF; allow racoon cgroup:dir { add_name create }; +allow racoon cgroup_v2:dir { add_name create }; allow racoon kernel:system module_request; allow racoon self:key_socket create_socket_perms_no_ioctl; diff --git a/public/sdcardd.te b/public/sdcardd.te index 1ae377082..bb1c919e8 100644 --- a/public/sdcardd.te +++ b/public/sdcardd.te @@ -2,6 +2,7 @@ type sdcardd, domain; type sdcardd_exec, system_file_type, exec_type, file_type; allow sdcardd cgroup:dir create_dir_perms; +allow sdcardd cgroup_v2:dir create_dir_perms; allow sdcardd fuse_device:chr_file rw_file_perms; allow sdcardd rootfs:dir mounton; # TODO: deprecated in M allow sdcardd sdcardfs:filesystem remount; diff --git a/public/shell.te b/public/shell.te index c8aa9e997..29c07a44e 100644 --- a/public/shell.te +++ b/public/shell.te @@ -126,6 +126,7 @@ r_dir_file(shell, cgroup) allow shell cgroup_desc_file:file r_file_perms; allow shell cgroup_desc_api_file:file r_file_perms; allow shell vendor_cgroup_desc_file:file r_file_perms; +r_dir_file(shell, cgroup_v2) allow shell domain:dir { search open read getattr }; allow shell domain:{ file lnk_file } { open read getattr }; diff --git a/public/vendor_init.te b/public/vendor_init.te index 685317bf3..8d436b9bb 100644 --- a/public/vendor_init.te +++ b/public/vendor_init.te @@ -16,6 +16,8 @@ allow vendor_init rootfs:lnk_file { create unlink }; # Create cgroups mount points in tmpfs and mount cgroups on them. allow vendor_init cgroup:dir create_dir_perms; allow vendor_init cgroup:file w_file_perms; +allow vendor_init cgroup_v2:dir create_dir_perms; +allow vendor_init cgroup_v2:file w_file_perms; # /config allow vendor_init configfs:dir mounton; From 98a5e60592b00e17eb8364d5734f8203bc8551bc Mon Sep 17 00:00:00 2001 From: Marco Ballesio Date: Fri, 12 Feb 2021 13:25:59 -0800 Subject: [PATCH 2/2] sepolicy: grant system_server process group creation rights system_server must be allowed to create process groups in behalf of processes spawned by the app zygote Bug: 62435375 Bug: 168907513 Test: verified that webview processes are migrated in their own process group Change-Id: Icd9cd53b759a79fe4dc46f7ffabc0cf248e6e4b8 --- private/system_server.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/private/system_server.te b/private/system_server.te index 1db70820c..a637d3ec2 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -887,9 +887,10 @@ allow system_server block_device:dir search; allow system_server frp_block_device:blk_file rw_file_perms; allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD }; -# Clean up old cgroups +# Create new process groups and clean up old cgroups allow system_server cgroup:dir { remove_name rmdir }; -allow system_server cgroup_v2:dir { remove_name rmdir }; +allow system_server cgroup_v2:dir create_dir_perms; +allow system_server cgroup_v2:file { r_file_perms setattr }; # /oem access r_dir_file(system_server, oemfs)