From 275ea12d84eddb60dbe68d7e0d9715fcbdc99e23 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Tue, 7 Aug 2018 16:03:47 -0700
Subject: [PATCH] llkd: Add stack symbol checking

llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.

Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
---
 private/compat/26.0/26.0.ignore.cil |  3 ++-
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/crash_dump.te               |  6 ++++++
 private/domain.te                   |  1 +
 private/llkd.te                     | 17 +++++++++++++++++
 private/property_contexts           |  4 ++++
 public/app.te                       | 10 ++++++++--
 public/domain.te                    |  1 +
 public/logd.te                      |  2 +-
 public/property.te                  |  1 +
 public/te_macros                    |  5 +++--
 12 files changed, 46 insertions(+), 6 deletions(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index fb8cde16a..41979af7e 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -76,10 +76,11 @@
     incident_helper
     incident_helper_exec
     kmsg_debug_device
+    last_boot_reason_prop
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
-    last_boot_reason_prop
     lowpan_device
     lowpan_prop
     lowpan_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 4e9530358..278d60500 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -69,6 +69,7 @@
     last_boot_reason_prop
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
     lowpan_device
     lowpan_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c64e34154..6a79c750c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -14,6 +14,7 @@
     hal_system_suspend_default_tmpfs
     llkd
     llkd_exec
+    llkd_prop
     llkd_tmpfs
     mnt_product_file
     overlayfs_file
diff --git a/private/crash_dump.te b/private/crash_dump.te
index a50740ef3..aabff29f3 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -7,17 +7,23 @@ allow crash_dump {
   -init
   -kernel
   -keystore
+  -llkd
   -logd
   -ueventd
   -vendor_init
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };
+userdebug_or_eng(`
+  allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+')
 
 neverallow crash_dump {
   bpfloader
   init
   kernel
   keystore
+  llkd
+  userdebug_or_eng(`-llkd')
   logd
   userdebug_or_eng(`-logd')
   ueventd
diff --git a/private/domain.te b/private/domain.te
index 1ae31aea1..5c6fec8b7 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -8,6 +8,7 @@ allow domain crash_dump:process sigchld;
 neverallow {
   domain
   -vold
+  userdebug_or_eng(`-llkd')
   -dumpstate
   userdebug_or_eng(`-incidentd')
   -storaged
diff --git a/private/llkd.te b/private/llkd.te
index 54c6d049b..73e3f5818 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -3,7 +3,13 @@ typeattribute llkd coredomain;
 
 init_daemon_domain(llkd)
 
+get_prop(llkd, llkd_prop)
+
 allow llkd self:global_capability_class_set kill;
+userdebug_or_eng(`
+  allow llkd self:global_capability_class_set sys_ptrace;
+  allow llkd self:global_capability_class_set dac_override;
+')
 
 # llkd optionally locks itself in memory, to prevent it from being
 # swapped out and unable to discover a kernel in live-lock state.
@@ -12,6 +18,16 @@ allow llkd self:global_capability_class_set ipc_lock;
 # Send kill signals to _anyone_ suffering from Live Lock
 allow llkd domain:process sigkill;
 
+# read stack to check for Live Lock
+userdebug_or_eng(`
+  allow llkd {
+    domain
+    -keystore
+    -init
+    -llkd
+  }:process ptrace;
+')
+
 # live lock watchdog process allowed to look through /proc/
 allow llkd domain:dir r_dir_perms;
 allow llkd domain:file r_file_perms;
@@ -27,6 +43,7 @@ allow llkd kmsg_device:chr_file w_file_perms;
 ### neverallow rules
 
 neverallow { domain -init } llkd:process { dyntransition transition };
+neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
 
 # never honor LD_PRELOAD
 neverallow * llkd:process noatsecure;
diff --git a/private/property_contexts b/private/property_contexts
index 2726d84a6..b0f865375 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -34,6 +34,10 @@ debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
 dumpstate.options       u:object_r:dumpstate_options_prop:s0
+llk.                    u:object_r:llkd_prop:s0
+khungtask.              u:object_r:llkd_prop:s0
+ro.llk.                 u:object_r:llkd_prop:s0
+ro.khungtask.           u:object_r:llkd_prop:s0
 log.                    u:object_r:log_prop:s0
 log.tag                 u:object_r:log_tag_prop:s0
 log.tag.WifiHAL         u:object_r:wifi_log_prop:s0
diff --git a/public/app.te b/public/app.te
index 40a0a00ab..932116e6a 100644
--- a/public/app.te
+++ b/public/app.te
@@ -412,9 +412,15 @@ neverallow appdomain { domain -appdomain }:process ptrace;
 # of application data and execution state. Ptrace bypasses those
 # confidentiality guarantees. Disallow ptrace access from system components
 # to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
+# produce stack traces.  llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
 
-neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+neverallow {
+  domain
+  -appdomain
+  -crash_dump
+  userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
 
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections
diff --git a/public/domain.te b/public/domain.te
index 5e43db9bd..a865bd8c8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1382,6 +1382,7 @@ neverallow {
   -init
   -installd
   -install_recovery
+  userdebug_or_eng(`-llkd')
   -lmkd
   -netd
   -perfprofd
diff --git a/public/logd.te b/public/logd.te
index b5112b0b4..91ef54573 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -52,7 +52,7 @@ neverallow logd dev_type:blk_file { read write };
 neverallow logd domain:process ptrace;
 
 # ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
 
 # Write to /system.
 neverallow logd system_file:dir_file_class_set write;
diff --git a/public/property.te b/public/property.te
index 7e6c93995..eb1fef85f 100644
--- a/public/property.te
+++ b/public/property.te
@@ -36,6 +36,7 @@ type firstboot_prop, property_type;
 type hwservicemanager_prop, property_type;
 type last_boot_reason_prop, property_type;
 type system_lmk_prop, property_type;
+type llkd_prop, property_type;
 type logd_prop, property_type, core_property_type;
 type logpersistd_logging_prop, property_type;
 type log_prop, property_type, log_property_type;
diff --git a/public/te_macros b/public/te_macros
index a03bfe9bf..def7b4679 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -182,8 +182,9 @@ neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
 # of application data and execution state. Ptrace bypasses those
 # confidentiality guarantees. Disallow ptrace access from system components
 # to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
-neverallow { domain -$1 -crash_dump } $1:process ptrace;
+# produce stack traces.  llkd is excluded, as it needs to inspect
+# the kernel stack for live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
 ')
 
 #####################################
-- 
GitLab