Add microdroid specific sepolicy Microdroid will have a separate sepolicy, apart from the core policy. This is the first step; For now it's a simple copy of system/sepolicy. For the future work, it will be stripped. Bug: 189165759 Test: boot microdroid and see selinux enforced Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

commit: ff43be2ca9dcc80711fc14e0bfb847951f677243 [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer: Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree: bf5e839c17d58df2298c811dbf18624f24b48133
parent: b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]
diff --git a/microdroid/sepolicy/system/private/llkd.te b/microdroid/sepolicy/system/private/llkd.te
new file mode 100644
index 0000000..f218dec
--- /dev/null
+++ b/microdroid/sepolicy/system/private/llkd.te

@@ -0,0 +1,53 @@
+# llkd Live LocK Daemon
+typeattribute llkd coredomain;
+
+init_daemon_domain(llkd)
+
+get_prop(llkd, llkd_prop)
+
+allow llkd self:global_capability_class_set kill;
+userdebug_or_eng(`
+  allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
+  allow llkd self:global_capability_class_set { dac_override dac_read_search };
+')
+
+# llkd optionally locks itself in memory, to prevent it from being
+# swapped out and unable to discover a kernel in live-lock state.
+allow llkd self:global_capability_class_set ipc_lock;
+
+# Send kill signals to _anyone_ suffering from Live Lock
+allow llkd domain:process sigkill;
+
+# read stack to check for Live Lock
+userdebug_or_eng(`
+  allow llkd {
+    domain
+    -apexd
+    -kernel
+    -keystore
+    -init
+    -llkd
+    -ueventd
+    -vendor_init
+  }:process ptrace;
+')
+
+# live lock watchdog process allowed to look through /proc/
+allow llkd domain:dir r_dir_perms;
+allow llkd domain:file r_file_perms;
+allow llkd domain:lnk_file read;
+# Set /proc/sys/kernel/hung_task_*
+allow llkd proc_hung_task:file rw_file_perms;
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow llkd proc_sysrq:file w_file_perms;
+allow llkd kmsg_device:chr_file w_file_perms;
+
+### neverallow rules
+
+neverallow { domain -init } llkd:process { dyntransition transition };
+neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
+
+# never honor LD_PRELOAD
+neverallow * llkd:process noatsecure;
commit	ff43be2ca9dcc80711fc14e0bfb847951f677243	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Jun 07 16:56:56 2021 +0900
committer	Inseob Kim <inseob@google.com>	Mon Jun 07 18:44:35 2021 +0900
tree	bf5e839c17d58df2298c811dbf18624f24b48133
parent	b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]