diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-03-12 20:48:43 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2024-03-12 20:48:43 +0000 |
commit | 19e89f3f6f021208dd1de1da8620865dd22cea0a (patch) | |
tree | 72ca82b18fac3a7f9cfdf928820abba3b061db6e | |
parent | bfe038f3f6fe999a27bdfc301fee5daf316c231f (diff) | |
parent | 30404a42b8c79507c7df43e7b68ac4bc84a91710 (diff) | |
download | sepolicy-android13-tests-release.tar.gz |
Snap for 11561025 from 30404a42b8c79507c7df43e7b68ac4bc84a91710 to android13-tests-releaseandroid13-tests-release
Change-Id: I6569fca4b488d57fee70646ef4d71fb8569b8015
-rw-r--r-- | prebuilts/api/33.0/private/untrusted_app_all.te | 3 | ||||
-rw-r--r-- | prebuilts/api/33.0/public/domain.te | 18 | ||||
-rw-r--r-- | private/untrusted_app_all.te | 3 | ||||
-rw-r--r-- | public/domain.te | 18 |
4 files changed, 16 insertions, 26 deletions
diff --git a/prebuilts/api/33.0/private/untrusted_app_all.te b/prebuilts/api/33.0/private/untrusted_app_all.te index 26077f376..3ee54b2c4 100644 --- a/prebuilts/api/33.0/private/untrusted_app_all.te +++ b/prebuilts/api/33.0/private/untrusted_app_all.te @@ -166,9 +166,6 @@ create_pty(untrusted_app_all) userdebug_or_eng(` allow untrusted_app_all debugfs_kcov:file rw_file_perms; allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE }; - # The use of debugfs kcov is considered a breach of the kernel integrity - # according to the heuristic of lockdown. - allow untrusted_app_all self:lockdown integrity; ') # Allow running a VM for test/demo purposes. Note that access the service is diff --git a/prebuilts/api/33.0/public/domain.te b/prebuilts/api/33.0/public/domain.te index 132202545..abf186a27 100644 --- a/prebuilts/api/33.0/public/domain.te +++ b/prebuilts/api/33.0/public/domain.te @@ -282,13 +282,14 @@ allow domain debugfs_tracing:dir search; allow domain debugfs_tracing_debug:dir search; allow domain debugfs_trace_marker:file w_file_perms; -# Linux lockdown mode offers coarse-grained definitions for access controls. -# The "confidentiality" level detects access to tracefs or the perf subsystem. -# This overlaps with more precise declarations in Android's policy. The -# debugfs_trace_marker above is an example in which all processes should have -# some access to tracefs. Therefore, allow all domains to access this level. -# The "integrity" level is however enforced. -allow domain self:lockdown confidentiality; +# Linux lockdown mode offered coarse-grained definitions for access controls. In +# previous versions of the policy, the integrity permission was neverallowed. +# It was found that this permission mainly duplicates pre-existing rules in +# the policy (see b/285443587). Additionally, some access were found to be +# required (b/269377822). The access vector was removed from kernel 5.16 +# onwards. Grant unconditional access, these rules should be removed from the +# policy once no kernel <5.16 are supported. +allow domain self:lockdown { confidentiality integrity }; # Filesystem access. allow domain fs_type:filesystem getattr; @@ -1351,6 +1352,3 @@ neverallow { } ashmem_device:chr_file open; neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; - -# Linux lockdown "integrity" level is enforced for user builds. -neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 26077f376..3ee54b2c4 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -166,9 +166,6 @@ create_pty(untrusted_app_all) userdebug_or_eng(` allow untrusted_app_all debugfs_kcov:file rw_file_perms; allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE }; - # The use of debugfs kcov is considered a breach of the kernel integrity - # according to the heuristic of lockdown. - allow untrusted_app_all self:lockdown integrity; ') # Allow running a VM for test/demo purposes. Note that access the service is diff --git a/public/domain.te b/public/domain.te index 132202545..abf186a27 100644 --- a/public/domain.te +++ b/public/domain.te @@ -282,13 +282,14 @@ allow domain debugfs_tracing:dir search; allow domain debugfs_tracing_debug:dir search; allow domain debugfs_trace_marker:file w_file_perms; -# Linux lockdown mode offers coarse-grained definitions for access controls. -# The "confidentiality" level detects access to tracefs or the perf subsystem. -# This overlaps with more precise declarations in Android's policy. The -# debugfs_trace_marker above is an example in which all processes should have -# some access to tracefs. Therefore, allow all domains to access this level. -# The "integrity" level is however enforced. -allow domain self:lockdown confidentiality; +# Linux lockdown mode offered coarse-grained definitions for access controls. In +# previous versions of the policy, the integrity permission was neverallowed. +# It was found that this permission mainly duplicates pre-existing rules in +# the policy (see b/285443587). Additionally, some access were found to be +# required (b/269377822). The access vector was removed from kernel 5.16 +# onwards. Grant unconditional access, these rules should be removed from the +# policy once no kernel <5.16 are supported. +allow domain self:lockdown { confidentiality integrity }; # Filesystem access. allow domain fs_type:filesystem getattr; @@ -1351,6 +1352,3 @@ neverallow { } ashmem_device:chr_file open; neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *; - -# Linux lockdown "integrity" level is enforced for user builds. -neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity; |