Commit graph

26 commits

Author SHA1 Message Date
Marco Ballesio
aa8bb3a29b Revert^3 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
a54bed6907

Bug: 151660495
Test: verified proper boot in regular mode and proper working of adb in
recovery

Change-Id: Id70d27a6162af6ede94661005d80a2a780057089
2021-02-04 22:33:14 +00:00
Marco Ballesio
a54bed6907 Revert^2 "sepolicy: rules for uid/pid cgroups v2 hierarchy"
51c04ac27b

Change-Id: Idc35a84b5faabfb9bdd7a7693f51b11938eb0489
2021-01-27 06:07:48 +00:00
Jonglin Lee
51c04ac27b Revert "sepolicy: rules for uid/pid cgroups v2 hierarchy"
Revert submission 1511692-cgroup v2 uid/pid hierarchy

Reason for revert: Causing intermittent cgroup kernel panics
Reverted Changes:
I80c2a069b:sepolicy: rules for uid/pid cgroups v2 hierarchy
I73f3e767d:libprocessgroup: uid/pid hierarchy for cgroup v2

Bug: 174776875
Change-Id: I63a03bb43d87c9aa564b1436a45fd5ec023aac87
Test: Locally reverted and booted 100 times without kernel panic
2020-12-04 03:12:59 +00:00
Marco Ballesio
f46d7a26c1 sepolicy: rules for uid/pid cgroups v2 hierarchy
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
2020-11-30 11:46:14 -08:00
Suren Baghdasaryan
d66fc4909f sepolicy: Allow lmkd to communicate with its other instance for reinit
Lmkd should implement reinit functionality and to do so it needs to
communicate with its running instance using socket.

Bug: 155149944
Test: lmkd --reinit
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I81455fe187830081d88f001b4588f7607b1bd1d0
2020-05-07 15:42:24 +00:00
Inseob Kim
55e5c9b513 Move system property rules to private
public/property split is landed to selectively export public types to
vendors. So rules happening within system should be in private. This
introduces private/property.te and moves all allow and neverallow rules
from any coredomains to system defiend properties.

Bug: 150331497
Test: system/sepolicy/tools/build_policies.sh
Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe
(cherry picked from commit 42c7d8966c)
2020-03-18 16:46:04 +00:00
Suren Baghdasaryan
ee57f177d8 allow init to communicate with lmkd and lmkd to kill native processes
init should register native services with lmkd so that they can be killed
when necessary. Allow init to communicate with lmkd over dedicated socket
the same way AMS does. Allow lmkd to kill and manipulate native processes
that were registered with lmkd.

Bug: 129011369
Test: boot and verify native service registration
Test: verify lmkd can kill registered native processes using lmkd_unit_test
Change-Id: Idfc814bd08115c548e97f11a6bdb006790cbb4ed
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-11-07 18:19:44 +00:00
Suren Baghdasaryan
d210b7e729 sepolicy: Allow lmkd access to vmstat file
Lmkd needs read access to /proc/vmstat to read workingset_refault and
pgscan metrics.

Bug: 132642304
Test: lmkd_unit_test
Change-Id: I7db1b85552c6ca2d5ad76041ca29687146bde769
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-09-30 16:57:35 +00:00
Nick Kralevich
44b0efb332 Add TODOs
Bug: 131761776
Test: compiles
Change-Id: Iba3ad475ce25a1ece96717ceecb7c4df8e358d48
2019-05-02 08:29:21 -07:00
Jim Blackler
3cfad10c04 lmkd: grant access to /proc/lowmemorykiller
lmkd needs to read /proc/lowmemorykiller to send statslog events in response to
applications being killed.

Bug: 130017100
Change-Id: I929d5a372e1b2f63b7b5ed421f1898ebddaec01c
2019-04-29 10:49:58 +00:00
Wei Wang
eff6ddf668 Allow lmkd to setched kernel threads
psi monitor sched_setscheduler(kworker->task, SCHED_FIFO, &param) was added into pa/1282597

Bug: 127637796
Test: build
Change-Id: I8f2470fc40bc8d02a7fbbbe186afe580c5f53aa4
2019-03-20 23:06:32 +00:00
Suren Baghdasaryan
53065d6aa8 sepolicy: Allow lmkd access to psi procfs nodes
Lmkd needs read access to /proc/pressure/memory, proc/pressure/cpu
and proc/pressure/io nodes to read current psi levels.
Lmkd needs write access to /proc/pressure/memory to set psi monitor
triggers.

Bug: 111308141
Test: modified lmkd to use PSI and tested using lmkd_unit_test

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Merged-In: I9efd60c7fbb89cc08938fa5119b13d794813b52b
Change-Id: I9efd60c7fbb89cc08938fa5119b13d794813b52b
2019-03-13 10:00:37 -07:00
Wei Wang
abeaa3bc92 Allow lmkd to renice process before killing
Bug: 118468011
Test: mem-pressure test
Change-Id: Icf387a02243af60a3bfffba912711f037669fa7f
2019-01-14 22:52:32 -08:00
Howard Ro
98de322a03 Allow zygote to write to statsd and refactor
We plan on migrating MetricsLogger to write to statsd socket. So we need to
allow zygote, which writes to logd using MetricsLogger, to also be able
to statsd. We also re-locate some sepolicies to write to statsd socket
in their respective policy definitions.

Bug: 110537511
Test: no failure/violations observed
Change-Id: I21fd352a25ed946516f9a45ac3b5e9bf97b059bc
2018-10-08 13:48:28 -07:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
Benjamin Gordon
342362ae3e sepolicy: grant dac_read_search to domains with dac_override
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order
of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of
dac_override and dac_read_search checks.  Domains that have dac_override
will now generate spurious denials for dac_read_search unless they also
have that permission.  Since dac_override is a strict superset of
dac_read_search, grant dac_read_search to all domains that already have
dac_override to get rid of the denials.

Bug: 114280985
Bug: crbug.com/877588
Test: Booted on a device running 4.14.
Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
2018-09-19 15:54:37 -06:00
Suren Baghdasaryan
c8ed855ede Selinux: Allow lmkd write access to sys.lmk. properties
Allow lmkd write access to sys.lmk. properties to be able to set
sys.lmk.minfree_levels.

Bug: 111521182
Test: getprop sys.lmk.minfree_levels returns value set by lmkd
Change-Id: I86ff11d75917966857d3a76876a56799bb92a5ad
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2018-08-10 20:05:46 +00:00
Suren Baghdasaryan
76384b3ee0 Selinux: Give lmkd read access to /proc/meminfo
Allow lmkd read access to /proc/meminfo for retrieving information
on memory state.

Change-Id: I7cf685813a5a49893c8f9a6ac4b5f6619f3c18aa
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2018-04-13 21:35:52 +00:00
Mark Salyzyn
d583e5966e lmkd: add live-lock killer daemon
llkd needs the ability to forcibly crash the kernel if
cause is unlikely to result in an orderly shutdown. It
also needs to scan /proc/<pid> for additional process
information.

Test: lmkd_unit_test --gtest_filter=llkd.*
Bug: 33808187
Change-Id: I7f158a13814e79d5ec71fe90dbc7461abb521945
2018-02-05 12:12:51 -08:00
Benjamin Gordon
9b2e0cbeea sepolicy: Add rules for non-init namespaces
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.

This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.

This is essentially:
  1. New global_capability_class_set and global_capability2_class_set
     that match capability+cap_userns and capability2+cap2_userns,
     respectively.
  2. s/self:capability/self:global_capability_class_set/g
  3. s/self:capability2/self:global_capability2_class_set/g
  4. Add cap_userns and cap2_userns to the existing capability_class_set
     so that it covers all capabilities.  This set was used by several
     neverallow and dontaudit rules, and I confirmed that the new
     classes are still appropriate.

Test: diff new policy against old and confirm that all new rules add
      only cap_userns or cap2_userns;
      Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831

Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
2017-11-21 08:34:32 -07:00
Tri Vo
a0748a75f4 Restrict lmkd read access from sysfs_type to sysfs_lowmemorykiller.
Bug: 65643247
Test: device boots without denials from lmkd
Change-Id: I6db8b52a4fb3edefbcbc87d6ca5f1b76162e9dce
2017-09-20 16:29:25 -07:00
Robert Benea
1a05283cd9 Allow lmkd read memcg stats.
Currently lmkd is not able to read memcg info. The mem/swap usage
info are used by lmkd to ugrade medium pressure events to critical
level.

Test: tested on gobo
Bug: 65180281
Change-Id: I19d0eb53d5e754c176ffeda1b5d07049e6af8570
2017-08-30 14:02:38 -07:00
Nick Kralevich
d5b6043f51 more ephemeral_app cleanup
As of https://android-review.googlesource.com/324092, ephemeral_app is
now an appdomain, so places where both appdomain and ephemeral_app are
granted the same set of rules can be deleted.

Test: policy compiles.
Change-Id: Ideee710ea47af7303e5eb3af1331653afa698415
2017-01-20 14:35:17 +00:00
Nick Kralevich
0fa81a27a0 Remove domain_deprecated from some domains.
No denials showing up in collected audit logs.

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I5a0d4f3c51d296bfa04e71fc226a01dcf5b5b508
2016-11-25 17:37:30 -08:00
Chad Brubaker
06cf31eb63 Rename autoplay_app to ephemeral_app
Test: Builds and boots
Change-Id: I3db64e12f0390c6940f5745eae83ce7efa7d65a9
2016-10-07 09:52:31 -07:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from lmkd.te (Browse further)