9b2e0cbeea
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
63 lines
1.9 KiB
Text
63 lines
1.9 KiB
Text
type crash_dump, domain;
|
|
type crash_dump_exec, exec_type, file_type;
|
|
|
|
allow crash_dump {
|
|
domain
|
|
-init
|
|
-crash_dump
|
|
-keystore
|
|
-logd
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
|
|
# which will result in an audit log even when it's allowed to trace.
|
|
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
|
|
|
|
userdebug_or_eng(`
|
|
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
# Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
|
|
allow crash_dump kmsg_debug_device:chr_file { open append };
|
|
')
|
|
|
|
# Use inherited file descriptors
|
|
allow crash_dump domain:fd use;
|
|
|
|
# Write to the IPC pipe inherited from crashing processes.
|
|
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
|
|
allow crash_dump domain:fifo_file { write append };
|
|
|
|
r_dir_file(crash_dump, domain)
|
|
allow crash_dump exec_type:file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
|
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read APK files.
|
|
r_dir_file(crash_dump, apk_data_file);
|
|
|
|
# Read all /vendor
|
|
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
|
|
|
|
# Talk to tombstoned
|
|
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
|
|
|
|
# Talk to ActivityManager.
|
|
unix_socket_connect(crash_dump, system_ndebug, system_server)
|
|
|
|
# Append to ANR files.
|
|
allow crash_dump anr_data_file:file { append getattr };
|
|
|
|
# Append to tombstone files.
|
|
allow crash_dump tombstone_data_file:file { append getattr };
|
|
|
|
read_logd(crash_dump)
|
|
|
|
###
|
|
### neverallow assertions
|
|
###
|
|
|
|
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
|
|
# Do not allow the execution of crash_dump without a domain transition.
|
|
neverallow domain crash_dump_exec:file execute_no_trans;
|