ca0690e8eb
This patch extends the current debug-specific rules to cover user
builds. As a reminder, on user, the target process fork-execs a private
heapprofd process, which then performs stack unwinding & talking to the
central tracing daemon while staying in the target's domain. The central
heapprofd daemon is only responsible for identifying targets & sending
the activation signal. On the other hand, on debug, the central
heapprofd can handle all processes directly, so the necessary SELinux
capabilities depend on the build type.
These rules are necessary but not sufficient for profiling. For zygote
children, the libc triggering logic will also check for the app to
either be debuggable, or go/profileable.
For more context, see go/heapprofd-security & go/heapprofd-design.
Note that I've had to split this into two separate macros, as
exec_no_trans - which is necessary on user, but nice-to-have on debug -
conflicts with a lot of neverallows (e.g. HALs and system_server) for
the wider whitelisting that we do on debug builds.
Test: built & flashed on {blueline-userdebug, blueline-user}, activated profiling of whitelisted/not domains & checked for lack of denials in logcat.
Bug: 120409382
Change-Id: Id0defc3105b99f777bcee2046d9894a2b39c6a29
190 lines
6.2 KiB
Text
190 lines
6.2 KiB
Text
# Transition to crash_dump when /system/bin/crash_dump* is executed.
|
|
# This occurs when the process crashes.
|
|
# We do not apply this to the su domain to avoid interfering with
|
|
# tests (b/114136122)
|
|
domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
|
|
allow domain crash_dump:process sigchld;
|
|
|
|
# Allow every process to check the heapprofd.enable properties to determine
|
|
# whether to load the heap profiling library. This does not necessarily enable
|
|
# heap profiling, as initialization will fail if it does not have the
|
|
# necessary SELinux permissions.
|
|
get_prop(domain, heapprofd_prop);
|
|
# Allow heap profiling on debug builds.
|
|
userdebug_or_eng(`can_profile_heap_userdebug_or_eng({
|
|
domain
|
|
-bpfloader
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
})')
|
|
|
|
# Path resolution access in cgroups.
|
|
allow domain cgroup:dir search;
|
|
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
|
|
allow { domain -appdomain -rs } cgroup:file w_file_perms;
|
|
|
|
# For now, everyone can access core property files
|
|
# Device specific properties are not granted by default
|
|
not_compatible_property(`
|
|
get_prop(domain, core_property_type)
|
|
get_prop(domain, exported_dalvik_prop)
|
|
get_prop(domain, exported_ffs_prop)
|
|
get_prop(domain, exported_system_radio_prop)
|
|
get_prop(domain, exported2_config_prop)
|
|
get_prop(domain, exported2_radio_prop)
|
|
get_prop(domain, exported2_system_prop)
|
|
get_prop(domain, exported2_vold_prop)
|
|
get_prop(domain, exported3_default_prop)
|
|
get_prop(domain, exported3_radio_prop)
|
|
get_prop(domain, exported3_system_prop)
|
|
get_prop(domain, vendor_default_prop)
|
|
')
|
|
compatible_property_only(`
|
|
get_prop({coredomain appdomain shell}, core_property_type)
|
|
get_prop({coredomain appdomain shell}, exported_dalvik_prop)
|
|
get_prop({coredomain appdomain shell}, exported_ffs_prop)
|
|
get_prop({coredomain appdomain shell}, exported_system_radio_prop)
|
|
get_prop({coredomain appdomain shell}, exported2_config_prop)
|
|
get_prop({coredomain appdomain shell}, exported2_radio_prop)
|
|
get_prop({coredomain appdomain shell}, exported2_system_prop)
|
|
get_prop({coredomain appdomain shell}, exported2_vold_prop)
|
|
get_prop({coredomain appdomain shell}, exported3_default_prop)
|
|
get_prop({coredomain appdomain shell}, exported3_radio_prop)
|
|
get_prop({coredomain appdomain shell}, exported3_system_prop)
|
|
get_prop({domain -coredomain -appdomain}, vendor_default_prop)
|
|
')
|
|
|
|
# Limit ability to ptrace or read sensitive /proc/pid files of processes
|
|
# with other UIDs to these whitelisted domains.
|
|
neverallow {
|
|
domain
|
|
-vold
|
|
userdebug_or_eng(`-llkd')
|
|
-dumpstate
|
|
userdebug_or_eng(`-incidentd')
|
|
-storaged
|
|
-system_server
|
|
userdebug_or_eng(`-perfprofd')
|
|
} self:global_capability_class_set sys_ptrace;
|
|
|
|
# Limit ability to generate hardware unique device ID attestations to priv_apps
|
|
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vendor_init
|
|
userdebug_or_eng(`-domain')
|
|
} debugfs_tracing_debug:file no_rw_file_perms;
|
|
|
|
# System_server owns dropbox data, and init creates/restorecons the directory
|
|
# Disallow direct access by other processes.
|
|
neverallow { domain -init -system_server } dropbox_data_file:dir *;
|
|
neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
|
|
|
|
###
|
|
# Services should respect app sandboxes
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd # creation of sandbox
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
|
|
|
# Only the following processes should be directly accessing private app
|
|
# directories.
|
|
neverallow {
|
|
domain
|
|
-adbd
|
|
-appdomain
|
|
-app_zygote
|
|
-dexoptanalyzer
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
-profman
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
-runas
|
|
-system_server
|
|
-viewcompiler
|
|
} { privapp_data_file app_data_file }:dir *;
|
|
|
|
# Only apps should be modifying app data. installd is exempted for
|
|
# restorecon and package install/uninstall.
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} { privapp_data_file app_data_file }:dir ~r_dir_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-app_zygote
|
|
-installd
|
|
userdebug_or_eng(`-perfprofd')
|
|
-rs # spawned by appdomain, so carryover the exception above
|
|
} { privapp_data_file app_data_file }:file_class_set open;
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
-installd # creation of sandbox
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
|
|
|
|
neverallow {
|
|
domain
|
|
-installd
|
|
} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
|
|
|
|
# The staging directory contains APEX and APK files. It is important to ensure
|
|
# that these files cannot be accessed by other domains to ensure that the files
|
|
# do not change between system_server staging the files and apexd processing
|
|
# the files.
|
|
neverallow { domain -init -system_server -apexd } staging_data_file:dir *;
|
|
neverallow { domain -init -system_server -apexd -kernel } staging_data_file:file *;
|
|
neverallow { domain -init -system_server } staging_data_file:dir no_w_dir_perms;
|
|
# apexd needs the link permission, so list every `no_w_file_perms` except for `link`.
|
|
neverallow { domain -init -system_server } staging_data_file:file
|
|
{ append create unlink relabelfrom rename setattr write no_x_file_perms };
|
|
|
|
neverallow {
|
|
domain
|
|
-appdomain # for oemfs
|
|
-bootanim # for oemfs
|
|
-recovery # for /tmp/update_binary in tmpfs
|
|
} { fs_type -rootfs }:file execute;
|
|
|
|
#
|
|
# Assert that, to the extent possible, we're not loading executable content from
|
|
# outside the rootfs or /system partition except for a few whitelisted domains.
|
|
# Executable files loaded from /data is a persistence vector
|
|
# we want to avoid. See
|
|
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
|
|
#
|
|
neverallow {
|
|
domain
|
|
-appdomain
|
|
with_asan(`-asan_extract')
|
|
-shell
|
|
userdebug_or_eng(`-su')
|
|
-system_server_startup # for memfd backed executable regions
|
|
-app_zygote
|
|
-webview_zygote
|
|
-zygote
|
|
userdebug_or_eng(`-mediaextractor')
|
|
userdebug_or_eng(`-mediaswcodec')
|
|
} {
|
|
file_type
|
|
-system_file_type
|
|
-system_lib_file
|
|
-system_linker_exec
|
|
-vendor_file_type
|
|
-exec_type
|
|
-postinstall_file
|
|
}:file execute;
|