Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
This is required during OTA. File will be removed
once OTA update is completed.
Bug: 262407519
Test: OTA on Pixel
Change-Id: I8922ebaaa89f9075fe47d2b74f61071b657850f0
Signed-off-by: Akilesh Kailash <akailash@google.com>
Starting with
91a9ab7c94
, calling io_uring_setup will need selinux permission to create anon
inodes.
Test: th
Bug: 244785938
Change-Id: I351983fefabe0f6fdaf9272506ea9dd24bc083a9
snapuserd uses an inotify watch to detect when /dev/socket/snapuserd has
been created.
Bug: N/A
Test: no denials after applying OTA on cuttlefish
Change-Id: I2ca16aee84ce7648bceea5c5de32a561b932f528
Add selinux policy to allow snapuserd to search
through /dev/block/ and read /sys/block directory.
Bug: 193863442
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I656aee69f4c07ed7caeb1c3c14e44e1a25bd1ba1
This adds a new property prefix owned by snapuserd, for communicating
when the service is ready to accept connections (snapuserd.ready and
snapuserd.proxy_ready).
This also adds a new socket context. This is a seqpacket socket used to
communicate with a special instance of snapuserd that bridges to the
first-stage daemon.
Bug: 193833730
Test: no denials after OTA applies and boots
Change-Id: Ibad03659eba5c25e205ba00f27d0b4f98585a84b
The initial launch of snapuserd happens in first-stage init, before
sepolicy is loaded, since snapuserd is needed to mount initial
partitions. After sepolicy is loaded, we immediately re-launch snapuserd
in the correct context. This requires a transition similar to init.
The "allow" lines for the kernel happen in permissive mode, since we
need to relabel critical parts of /dev/block in order to re-launch
snapuserd.
Bug: 173476209
Test: OTA applies with ro.virtual_ab.compression.enabled = true
Change-Id: I80184e737ccb558107a14b384a61f7fec31c9428
Restrict access to controlling snapuserd via ctl properties. Allow
update_engine to control snapuserd, and connect/write to its socket.
update_engine needs this access so it can create the appropriate dm-user
device (which sends queries to snapuserd), which is then used to build
the update snapshot.
This also fixes a bug where /dev/dm-user was not properly labelled. As a
result, snapuserd and update_engine have been granted r_dir_perms to
dm_user_device.
Bug: 168554689
Test: full ota with VABC enabled
Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
dm-user is a new device-mapper module, providing a FUSE-like service for
block devices. It creates control nodes as misc devices under
/dev/dm-user/. Make sure these nodes get a unique selabel.
snapuserd is a daemon for servicing requests from dm-user. It is a
low-level component of Virtual A/B updates, and provides the bridge
betewen dm-snapshot and the new COW format. For this reason it needs
read/write access to device-mapper devices.
Bug: 168259959
Test: ctl.start snapuserd, no denials
vts_libsnapshot_test, no denials
Change-Id: I36858a23941767f6127d6fbb9e6755c68b91ad31
