From f55c989d18412ae711f00a25ec1ebabe1468325e Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Wed, 10 Oct 2018 22:48:15 +0000
Subject: [PATCH] Constrain cgroups access.

What changed:
- Removed cgroup access from untrusted and priv apps.
- Settings app writes to /dev/stune/foreground/tasks, so system_app domain
retains access to cgroup.
- libcutils exports API to /dev/{cpuset, stune}/*. This API seems to be used
abundantly in native code. So added a blanket allow rule for (coredomain - apps)
to access cgroups.
- For now, only audit cgroup access from vendor domains. Ultimately, we want to
either constrain vendor access to individual domains or, even better, remove
vendor access and have platform manage cgroups exclusively.

Changes from original aosp/692189 which was reverted:
- There seem to be spurious denials from vendor-specific apps. So added
back access from { appdomain -all_untrusted_apps -priv_app } to cgroup.
Audit this access with intent to write explicit per-domain rules for it.

Bug: 110043362
Test: adb shell setprop ro.config.per_app_memcg true, device correctly populates
/dev/memcg on a per app basis on a device that supports that.
Test: aosp_sailfish, wahoo boot without cgroup denials
This reverts commit cacea25ed0fe4850d50d12640c7ee47ae1e2ef7a.
Change-Id: I05ab404f348a864e8409d811346c8a0bf49bc47a
---
 private/app_neverallows.te |  3 +++
 private/priv_app.te        |  3 +++
 private/system_app.te      |  3 +++
 public/app.te              |  4 ----
 public/domain.te           | 31 ++++++++++++++++++++++++++++---
 public/init.te             |  2 +-
 public/vendor_init.te      |  1 +
 7 files changed, 39 insertions(+), 8 deletions(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 344ecd544..1e824046b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -274,3 +274,6 @@ neverallow all_untrusted_apps mediaextractor_update_service:service_manager find
 # This will go away in a future Android release
 neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
 neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
+
+# Untrusted apps are not allowed to use cgroups.
+neverallow all_untrusted_apps cgroup:file *;
diff --git a/private/priv_app.te b/private/priv_app.te
index e12cce765..192221db0 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -218,3 +218,6 @@ neverallow priv_app file_type:file link;
 # upon traceur to pass a file descriptor which they can then read
 neverallow priv_app trace_data_file:dir *;
 neverallow priv_app trace_data_file:file { no_w_file_perms open };
+
+# Do not allow priv_app access to cgroups.
+neverallow priv_app cgroup:file *;
diff --git a/private/system_app.te b/private/system_app.te
index 40fec6acf..4bfcc18f4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -122,6 +122,9 @@ allow system_app {
   proc_version
 }:file r_file_perms;
 
+# Settings app writes to /dev/stune/foreground/tasks.
+allow system_app cgroup:file w_file_perms;
+
 control_logd(system_app)
 read_runtime_log_tags(system_app)
 get_prop(system_app, device_logging_prop)
diff --git a/public/app.te b/public/app.te
index 5a8215211..800e891b4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -22,10 +22,6 @@ allow appdomain zygote_exec:file rx_file_perms;
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file rw_file_perms;
-
 # Read /data/dalvik-cache.
 allow appdomain dalvikcache_data_file:dir { search getattr };
 allow appdomain dalvikcache_data_file:file r_file_perms;
diff --git a/public/domain.te b/public/domain.te
index e9bdb6dec..244e08948 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -258,9 +258,34 @@ allow domain selinuxfs:file getattr;
 allow domain sysfs:dir search;
 allow domain selinuxfs:filesystem getattr;
 
-# For /acct/uid/*/tasks.
-allow domain cgroup:dir { search write };
-allow domain cgroup:file w_file_perms;
+# Path resolution access in cgroups.
+allow domain cgroup:dir search;
+allow { coredomain -appdomain } cgroup:dir w_dir_perms;
+allow { coredomain -appdomain } cgroup:file w_file_perms;
+
+# TODO(b/110043362): Clean up cgroup access from app domains.
+allow {
+  # Can not use all_untrusted_apps macro here, so expanding inline.
+  # This list is essentially { appdomain -all_untrusted_apps -priv_app }
+  appdomain
+  -ephemeral_app
+  -isolated_app
+  -mediaprovider
+  -untrusted_app
+  -untrusted_app_25
+  -untrusted_app_27
+  -untrusted_app_all
+  -priv_app
+} cgroup:file w_file_perms;
+auditallow appdomain cgroup:file w_file_perms;
+
+# TODO(b/110043362): Clean up cgroup access from non-system domains.
+allow { domain -coredomain } cgroup:file w_file_perms;
+auditallow {
+  domain
+  -coredomain
+  -vendor_init
+} cgroup:file w_file_perms;
 
 # Almost all processes log tracing information to
 # /sys/kernel/debug/tracing/trace_marker
diff --git a/public/init.te b/public/init.te
index 02a0dfe7c..eb27dbd32 100644
--- a/public/init.te
+++ b/public/init.te
@@ -93,7 +93,7 @@ allow init sysfs:dir mounton;
 allow init tmpfs:dir create_dir_perms;
 allow init tmpfs:dir mounton;
 allow init cgroup:dir create_dir_perms;
-r_dir_file(init, cgroup)
+allow init cgroup:file rw_file_perms;
 allow init cpuctl_device:dir { create mounton };
 
 # /config
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 01c2f17fd..8cd9b473e 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -15,6 +15,7 @@ allow vendor_init rootfs:lnk_file { create unlink };
 
 # Create cgroups mount points in tmpfs and mount cgroups on them.
 allow vendor_init cgroup:dir create_dir_perms;
+allow vendor_init cgroup:file w_file_perms;
 
 # /config
 allow vendor_init configfs:dir mounton;
-- 
GitLab