tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/traced.te
Eric Biggers 9a5992336e Restrict creating per-user encrypted directories 
Creating a per-user encrypted directory such as /data/system_ce/0 and
the subdirectories in it too early has been a recurring bug.  Typically,
individual services in system_server are to blame; system_server has
permission to create these directories, and it's easy to write
"mkdirs()" instead of "mkdir()".  Such bugs are very bad, as they
prevent these directories from being encrypted, as encryption policies
can only be set on empty directories.  Due to recent changes, a factory
reset is now forced in such cases, which helps detect these bugs;
however, it would be much better to prevent them in the first place.

This CL locks down the ability to create these directories to just vold
and init, or to just vold when possible.  This is done by assigning new
types to the directories that contain these directories, and then only
allowing the needed domains to write to these parent directories.  This
is similar to what https://r.android.com/1117297 did for /data itself.

Three new types are used instead of just one, since these directories
had three different types already (system_data_file, media_rw_data_file,
vendor_data_file), and this allows the policy to be a bit more precise.

A significant limitation is that /data/user/0 is currently being created
by init during early boot.  Therefore, this CL doesn't help much for
/data/user/0, though it helps a lot for the other directories.  As the
next step, I'll try to eliminate the /data/user/0 quirk.  Anyway, this
CL is needed regardless of whether we're able to do that.

Test: Booted cuttlefish.  Ran 'sm partition disk:253,32 private', then
      created and deleted a user.  Used 'ls -lZ' to check the relevant
      SELinux labels on both internal and adoptable storage.  Also did
      similar tests on raven, with the addition of going through the
      setup wizard and using an app that creates media files.  No
      relevant SELinux denials seen during any of this.
Bug: 156305599
Change-Id: I1fbdd180f56dd2fe4703763936f5850cef8ab0ba
2022-05-05 04:12:46 +00:00

132 lines
4.7 KiB
Text
Raw Blame History

# Perfetto user-space tracing daemon (unprivileged)
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
tmpfs_domain(traced)
# Allow apps in other MLS contexts (for multi-user) to access
# share memory buffers created by traced.
typeattribute traced_tmpfs mlstrustedobject;
# Allow traced to start with a lower scheduling class and change
# class accordingly to what defined in the config provided by
# the privileged process that controls it.
allow traced self:global_capability_class_set { sys_nice };
# Allow to pass a file descriptor for the output trace from "perfetto" (the
# cmdline client) and other shell binaries to traced and let traced write
# directly into that (rather than returning the trace contents over the socket).
allow traced perfetto:fd use;
allow traced shell:fd use;
allow traced shell:fifo_file { read write };
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
# ... and /data/misc/perfetto-traces/bugreport*
allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
# Allow perfetto to access the proxy service for notifying Traceur.
allow traced tracingproxy_service:service_manager find;
binder_use(traced);
binder_call(traced, system_server);
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
allow traced iorapd_tmpfs:file { read write };
# Allow traced to use shared memory supplied by producers. Typically, traced
# (i.e. the tracing service) creates the shared memory used for data transfer
# from the producer. This rule allows an alternative scheme, where the producer
# creates the shared memory, that is then adopted by traced (after validating
# that it is appropriately sealed).
# This list has to replicate the tmpfs domains of all applicable domains that
# have perfetto_producer() macro applied to them.
# perfetto_tmpfs excluded as it should never need to use the producer-supplied
# shared memory scheme.
allow traced {
appdomain_tmpfs
heapprofd_tmpfs
surfaceflinger_tmpfs
traced_probes_tmpfs
userdebug_or_eng(`system_server_tmpfs')
}:file { getattr map read write };
# Allow traced to notify Traceur when a trace ends by setting the
# sys.trace.trace_end_signal property.
set_prop(traced, system_trace_prop)
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
# Allow traced to talk to statsd for logging metrics.
unix_socket_send(traced, statsdw, statsd)
###
### Neverallow rules
###
### traced should NEVER do any of this
# Disallow mapping executable memory (execstack and exec are already disallowed
# globally in domain.te).
neverallow traced self:process execmem;
# Block device access.
neverallow traced dev_type:blk_file { read write };
# ptrace any other process
neverallow traced domain:process ptrace;
# Disallows access to /data files, still allowing to write to file descriptors
# passed through the socket.
neverallow traced {
data_file_type
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
-media_userdir_file
-system_userdir_file
-vendor_userdir_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
-vendor_data_file
-zoneinfo_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow traced { system_data_file }:dir ~{ getattr search };
neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
neverallow traced {
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
-perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
# Limit the processes that can access tracingproxy_service.
neverallow {
domain
-traced
-dumpstate
-traceur_app
-shell
-system_server
-perfetto
} tracingproxy_service:service_manager find;
Reference in a new issue View git blame Copy permalink