Skip to content
Snippets Groups Projects
Commit 095fbea5 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Strengthen ptrace neverallow rules

Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e
parent 702fd0af
No related branches found
No related tags found
No related merge requests found
......@@ -19,7 +19,11 @@ allow bpfloader netd:fd use;
allow bpfloader netd:bpf { map_read map_write };
allow bpfloader self:bpf { prog_load prog_run };
# Neverallow rules
dontaudit bpfloader self:global_capability_class_set sys_admin;
###
### Neverallow rules
###
neverallow { domain -bpfloader } *:bpf prog_load;
neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
......@@ -27,4 +31,5 @@ neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# only system_server, netd and bpfloader can read/write the bpf maps
neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
dontaudit bpfloader self:global_capability_class_set sys_admin;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
......@@ -17,6 +17,13 @@ userdebug_or_eng(`
allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
')
###
### neverallow assertions
###
# ptrace neverallow assertions are spread throughout the other policy
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
bpfloader
init
......@@ -29,6 +36,6 @@ neverallow crash_dump {
ueventd
vendor_init
vold
}:process { ptrace signal sigstop sigkill };
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
......@@ -22,9 +22,12 @@ allow llkd domain:process sigkill;
userdebug_or_eng(`
allow llkd {
domain
-kernel
-keystore
-init
-llkd
-ueventd
-vendor_init
}:process ptrace;
')
......
......@@ -394,9 +394,6 @@ neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
# Nobody is allowed to make binder calls into init.
# Only servicemanager may transfer binder references to init
# vendor_init shouldn't use binder at all.
......
......@@ -541,3 +541,6 @@ neverallow init shell_data_file:dir { write add_name remove_name };
# Init should not access sysfs node that are not explicitly labeled.
neverallow init sysfs:file { open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
......@@ -81,6 +81,21 @@ allow kernel media_rw_data_file:file create_file_perms;
# Access to /data/misc/vold/virtual_disk.
allow kernel vold_data_file:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
# before the domain is switched to the target domain. So, we need to allow the kernel
# domain (the source domain) to execute the dynamic linker (system_file type).
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
# kernel older than 4.8.
allow kernel system_file:file execute;
# The label for the dynamic linker is rootfs in the recovery partition. This is because
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
# done at build-time. All files are by default labeled as rootfs upon booting.
recovery_only(`
allow kernel rootfs:file execute;
')
###
### neverallow rules
###
......@@ -104,17 +119,5 @@ neverallow kernel *:file { entrypoint execute_no_trans };
# on files being accessed.
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
# before the domain is switched to the target domain. So, we need to allow the kernel
# domain (the source domain) to execute the dynamic linker (system_file type).
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
# kernel older than 4.8.
allow kernel system_file:file execute;
# The label for the dynamic linker is rootfs in the recovery partition. This is because
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
# done at build-time. All files are by default labeled as rootfs upon booting.
recovery_only(`
allow kernel rootfs:file execute;
')
# Nobody should be ptracing kernel threads
neverallow * kernel:process ptrace;
......@@ -70,3 +70,6 @@ neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create set
# Only relabelto as we would never want to relabelfrom kmem_device or port_device
neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
# Nobody should be able to ptrace ueventd
neverallow * ueventd:process ptrace;
......@@ -229,3 +229,6 @@ neverallow vendor_init { file_type fs_type }:file execute_no_trans;
# Init never adds or uses services via service_manager.
neverallow vendor_init service_manager_type:service_manager { add find };
neverallow vendor_init servicemanager:service_manager list;
# vendor_init should never be ptraced
neverallow * vendor_init:process ptrace;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment