Merge "Add sysprop for LeGetVendorCapabilities"
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 13e359a..4251a9e 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -363,16 +363,13 @@
# These partitions are intended to be read-only and must never be
# modified. Doing so would violate important Android security guarantees
# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
-} {
+neverallow domain {
system_file_type
vendor_file_type
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
@@ -445,7 +442,6 @@
-init
-vendor_init
-toolbox # TODO(b/141108496) We want to remove toolbox
- with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
#
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index d32e0e8..235ab14 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -163,3 +163,7 @@
apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
tombstone_transmit.init_done u:object_r:tombstone_transmit_status_prop:s0 exact bool
+
+# tombstone_transmit.start starts tombstone_transmit after creating a directory
+# assigning the same label as ctl.start$tombstone_transmit
+tombstone_transmit.start u:object_r:ctl_tombstone_transmit_prop:s0 exact bool
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0579740..5d5723e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -266,7 +266,6 @@
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
-
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
# used to communicate to the mdnsd responder. The mdnsd responder will be
# replaced by a java implementation which is integrated into the system server.
@@ -288,3 +287,9 @@
-untrusted_app_30
-untrusted_app_32
} mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index d93ee42..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -50,7 +50,7 @@
hal_client_domain(fastbootd, hal_fastboot)
')
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)
diff --git a/private/installd.te b/private/installd.te
index 9673cfd..7615c92 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -47,7 +47,10 @@
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write getattr };
-allow installd { dex2oat dexoptanalyzer }:process { sigkill signal };
+allow installd { dex2oat dexoptanalyzer }:process signal;
+
+# installd kills subprocesses if they time out.
+allow installd { dex2oat dexoptanalyzer profman }:process sigkill;
# Allow installd manage dirs in /data/misc_ce/0/sdksandbox
allow installd sdk_sandbox_system_data_file:dir { create_dir_perms relabelfrom };
diff --git a/private/security_classes b/private/security_classes
index 0d3cc80..99f947f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -142,6 +142,8 @@
class perf_event
+class io_uring
+
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2f2d3e7..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,8 +8,6 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
-allow snapuserd self:capability ipc_lock;
-
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
@@ -54,9 +52,12 @@
-init
} snapuserd_prop:property_service set;
-allow snapuserd self:anon_inode create_file_perms;
-
# Allow to read/write/create OTA metadata files
allow snapuserd metadata_file:dir search;
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
diff --git a/public/te_macros b/public/te_macros
index 11041b6..ad86a19 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,8 +176,6 @@
dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
')
####################################
@@ -1043,3 +1041,21 @@
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')
