-
Tri Vo authored
What changed: - Removed cgroup access from untrusted and priv apps. - Settings app writes to /dev/stune/foreground/tasks, so system_app domain retains access to cgroup. - libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used abundantly in native code. So added a blanket allow rule for (coredomain - apps) to access cgroups. - For now, only audit cgroup access from vendor domains. Ultimately, we want to either constrain vendor access to individual domains or, even better, remove vendor access and have platform manage cgroups exclusively. Changes from original aosp/692189 which was reverted: - There seem to be spurious denials from vendor-specific apps. So added back access from { appdomain -all_untrusted_apps -priv_app } to cgroup. Audit this access with intent to write explicit per-domain rules for it. Bug: 110043362 Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates /dev/memcg on a per app basis on a device that supports that. Test: aosp_sailfish, wahoo boot without cgroup denials This reverts commit cacea25e. Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47af55c989d
vendor_init.te 7.53 KiB
# vendor_init is its own domain.
type vendor_init, domain, mlstrustedsubject;
# Communication to the main init process
allow vendor_init init:unix_stream_socket { read write };
# Logging to kmsg
allow vendor_init kmsg_device:chr_file { open write };
# Mount on /dev/usb-ffs/adb.
allow vendor_init device:dir mounton;
# Create and remove symlinks in /.
allow vendor_init rootfs:lnk_file { create unlink };
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
allow vendor_init configfs:dir create_dir_perms;
allow vendor_init configfs:{ file lnk_file } create_file_perms;
# Create directories under /dev/cpuctl after chowning it to system.
allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
allow vendor_init self:global_capability_class_set { chown fowner fsetid };
# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
allow vendor_init unencrypted_data_file:dir search;
allow vendor_init unencrypted_data_file:file r_file_perms;
# Set encryption policy on dirs in /data
allowxperm vendor_init data_file_type:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_SET_ENCRYPTION_POLICY
};
allow vendor_init system_data_file:dir getattr;
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file_type
-mnt_product_file
-unlabeled
-vendor_file_type
-vold_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-runtime_event_log_tags_file
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
file_type -core_data_file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-system_file_type
-unlabeled
-vendor_file_type
-vold_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
file_type
-core_data_file_type
-exec_type
-mnt_product_file
-system_file_type
-vendor_file_type
-vold_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
allow vendor_init dev_type:lnk_file create;
# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
allow vendor_init debugfs_tracing:file w_file_perms;
# chown/chmod on pseudo files.
allow vendor_init {
fs_type
-contextmount_type
-keychord_device
-sdcard_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:file { open read setattr map };
allow vendor_init {
fs_type
-contextmount_type
-sdcard_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
# chown/chmod on devices, e.g. /dev/ttyHS0
allow vendor_init {
dev_type
-keychord_device
-kmem_device
-port_device
-lowpan_device
-hw_random_device
}:chr_file setattr;
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
r_dir_file(vendor_init, proc_net_type)allow vendor_init proc_net_type:file w_file_perms;
allow vendor_init self:global_capability_class_set net_admin;
# Write to /proc/sys/vm/page-cluster
allow vendor_init proc_page_cluster:file w_file_perms;
# Write to sysfs nodes.
allow vendor_init sysfs_type:dir r_dir_perms;
allow vendor_init sysfs_type:lnk_file read;
allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
# setfscreatecon() for labeling directories and socket files.
allow vendor_init self:process { setfscreate };
r_dir_file(vendor_init, vendor_file_type)
# Vendor init can read properties
allow vendor_init serialno_prop:file { getattr open read map };
# Vendor init can perform operations on trusted and security Extended Attributes
allow vendor_init self:global_capability_class_set sys_admin;
# Raw writes to misc block device
allow vendor_init misc_block_device:blk_file w_file_perms;
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`
allow vendor_init rootfs:file { r_file_perms execute };
')
not_compatible_property(`
set_prop(vendor_init, {
property_type
-restorecon_prop
-netd_stable_secret_prop
-firstboot_prop
-pm_prop
-system_boot_reason_prop
-bootloader_boot_reason_prop
-last_boot_reason_prop
})
')
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, debug_prop)
set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
set_prop(vendor_init, exported_config_prop)
set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
set_prop(vendor_init, exported_ffs_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
set_prop(vendor_init, exported_radio_prop)
set_prop(vendor_init, exported_system_radio_prop)
set_prop(vendor_init, exported_wifi_prop)
set_prop(vendor_init, exported2_config_prop)
set_prop(vendor_init, exported2_system_prop)
set_prop(vendor_init, exported2_vold_prop)
set_prop(vendor_init, exported3_default_prop)
set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
set_prop(vendor_init, serialno_prop)
set_prop(vendor_init, vendor_default_prop)set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, wifi_log_prop)
get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
###
### neverallow rules
###
# Vendor init shouldn't communicate with any vendor process, nor most system processes.
neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
# The vendor_init domain is only entered via an exec based transition from the
# init domain, never via setcon().
neverallow domain vendor_init:process dyntransition;
neverallow { domain -init } vendor_init:process transition;
neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
neverallow vendor_init shell_data_file:lnk_file read;
# Init should not be creating subdirectories in /data/local/tmp
neverallow vendor_init shell_data_file:dir { write add_name remove_name };
# init should never execute a program without changing to another domain.
neverallow vendor_init { file_type fs_type }:file execute_no_trans;
# Init never adds or uses services via service_manager.
neverallow vendor_init service_manager_type:service_manager { add find };
neverallow vendor_init servicemanager:service_manager list;
# vendor_init should never be ptraced
neverallow * vendor_init:process ptrace;