9a5992336e
Creating a per-user encrypted directory such as /data/system_ce/0 and the subdirectories in it too early has been a recurring bug. Typically, individual services in system_server are to blame; system_server has permission to create these directories, and it's easy to write "mkdirs()" instead of "mkdir()". Such bugs are very bad, as they prevent these directories from being encrypted, as encryption policies can only be set on empty directories. Due to recent changes, a factory reset is now forced in such cases, which helps detect these bugs; however, it would be much better to prevent them in the first place. This CL locks down the ability to create these directories to just vold and init, or to just vold when possible. This is done by assigning new types to the directories that contain these directories, and then only allowing the needed domains to write to these parent directories. This is similar to what https://r.android.com/1117297 did for /data itself. Three new types are used instead of just one, since these directories had three different types already (system_data_file, media_rw_data_file, vendor_data_file), and this allows the policy to be a bit more precise. A significant limitation is that /data/user/0 is currently being created by init during early boot. Therefore, this CL doesn't help much for /data/user/0, though it helps a lot for the other directories. As the next step, I'll try to eliminate the /data/user/0 quirk. Anyway, this CL is needed regardless of whether we're able to do that. Test: Booted cuttlefish. Ran 'sm partition disk:253,32 private', then created and deleted a user. Used 'ls -lZ' to check the relevant SELinux labels on both internal and adoptable storage. Also did similar tests on raven, with the addition of going through the setup wizard and using an app that creates media files. No relevant SELinux denials seen during any of this. Bug: 156305599 Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
133 lines
4.9 KiB
Text
133 lines
4.9 KiB
Text
# Perfetto command-line client. Can be used only from the domains that are
|
|
# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
|
|
# This command line client accesses the privileged socket of the traced
|
|
# daemon.
|
|
|
|
type perfetto_exec, system_file_type, exec_type, file_type;
|
|
type perfetto_tmpfs, file_type;
|
|
|
|
tmpfs_domain(perfetto);
|
|
|
|
# Allow init to start a trace (for perfetto_boottrace).
|
|
init_daemon_domain(perfetto)
|
|
|
|
# Allow to access traced's privileged consumer socket.
|
|
unix_socket_connect(perfetto, traced_consumer, traced)
|
|
|
|
# Connect to the Perfetto traced daemon as a producer. This requires
|
|
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
|
|
perfetto_producer(perfetto)
|
|
|
|
# Allow to write and unlink traces into /data/misc/perfetto-traces.
|
|
allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
|
|
allow perfetto perfetto_traces_data_file:file create_file_perms;
|
|
|
|
# Allow perfetto to access the proxy service for reporting traces.
|
|
allow perfetto tracingproxy_service:service_manager find;
|
|
binder_use(perfetto)
|
|
binder_call(perfetto, system_server)
|
|
|
|
# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
|
|
# shell and adb can write files into that directory.
|
|
allow perfetto perfetto_configs_data_file:dir r_dir_perms;
|
|
allow perfetto perfetto_configs_data_file:file r_file_perms;
|
|
|
|
# Allow perfetto to read the trace config from statsd, mm_events and shell
|
|
# (both root and non-root) on stdin and also to write the resulting trace to
|
|
# stdout.
|
|
allow perfetto { statsd mm_events shell su }:fd use;
|
|
allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
|
|
|
|
# Allow to communicate use, read and write over the adb connection.
|
|
allow perfetto adbd:fd use;
|
|
allow perfetto adbd:unix_stream_socket { read write };
|
|
|
|
# Allow adbd to reap perfetto.
|
|
allow perfetto adbd:process { sigchld };
|
|
|
|
# Allow perfetto to write to statsd.
|
|
unix_socket_send(perfetto, statsdw, statsd)
|
|
|
|
# Allow to access /dev/pts when launched in an adb shell.
|
|
allow perfetto devpts:chr_file rw_file_perms;
|
|
|
|
# Allow perfetto to ask incidentd to start a report.
|
|
# TODO(lalitm): remove all incidentd rules when proxy service is stable.
|
|
allow perfetto incident_service:service_manager find;
|
|
binder_call(perfetto, incidentd)
|
|
|
|
# perfetto log formatter calls isatty() on its stderr. Denial when running
|
|
# under adbd is harmless. Avoid generating denial logs.
|
|
dontaudit perfetto adbd:unix_stream_socket getattr;
|
|
dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
|
|
# As above, when adbd is running in "su" domain (only the ioctl is denied in
|
|
# practice).
|
|
dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
|
|
# Similarly, CTS tests end up hitting a denial on shell pipes.
|
|
dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# Disallow anyone else from being able to handle traces except selected system
|
|
# components.
|
|
neverallow {
|
|
domain
|
|
-init # The creator of the folder.
|
|
-perfetto # The owner of the folder.
|
|
-adbd # For pulling traces.
|
|
-shell # For devepment purposes.
|
|
-traced # For write_into_file traces.
|
|
-dumpstate # For attaching traces to bugreports.
|
|
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
|
|
-priv_app # For stating traces for bug-report UI.
|
|
} perfetto_traces_data_file:dir *;
|
|
neverallow {
|
|
domain
|
|
-init # The creator of the folder.
|
|
-perfetto # The owner of the folder.
|
|
-adbd # For pulling traces.
|
|
-shell # For devepment purposes.
|
|
-traced # For write_into_file traces.
|
|
-incidentd # For receiving reported traces. TODO(lalitm): remove this.
|
|
} perfetto_traces_data_file:file ~{ getattr read };
|
|
|
|
### perfetto should NEVER do any of the following
|
|
|
|
# Disallow mapping executable memory (execstack and exec are already disallowed
|
|
# globally in domain.te).
|
|
neverallow perfetto self:process execmem;
|
|
|
|
# Block device access.
|
|
neverallow perfetto dev_type:blk_file { read write };
|
|
|
|
# ptrace any other process
|
|
neverallow perfetto domain:process ptrace;
|
|
|
|
# Disallows access to other /data files.
|
|
neverallow perfetto {
|
|
data_file_type
|
|
-system_data_file
|
|
-system_data_root_file
|
|
-media_userdir_file
|
|
-system_userdir_file
|
|
-vendor_userdir_file
|
|
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
|
|
# neverallow. Currently only getattr and search are allowed.
|
|
-vendor_data_file
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
-perfetto_configs_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:dir *;
|
|
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
|
|
neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
|
|
neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
|
|
neverallow perfetto {
|
|
data_file_type
|
|
-zoneinfo_data_file
|
|
-perfetto_traces_data_file
|
|
-perfetto_configs_data_file
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file ~write;
|