commit 095fbea56341cc17a7b2b2936dca470c89709f83
author Nick Kralevich <nnk@google.com> Thu Sep 13 11:07:14 2018 -0700
committer Nick Kralevich <nnk@google.com> Fri Sep 14 18:32:20 2018 +0000
tree e77de83f6b2e1ac6100c5740fc000bef92152e1a
parent 702fd0afacf27c62e2743a72ebeae4021a5b595c

Strengthen ptrace neverallow rules

Add additional compile time constraints on the ability to ptrace various
sensitive domains.

llkd: remove some domains which llkd should never ptrace, even on
debuggable builds, such as kernel threads and init.

crash_dump neverallows: Remove the ptrace neverallow checks because
it duplicates other neverallow assertions spread throughout the policy.

Test: policy compiles and device boots
Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e

private/bpfloader.te

diff --git a/private/bpfloader.te b/private/bpfloader.te
index bcfbf39..0b33811 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -19,7 +19,11 @@
 allow bpfloader netd:bpf { map_read map_write };
 allow bpfloader self:bpf { prog_load prog_run };
 
-# Neverallow rules
+dontaudit bpfloader self:global_capability_class_set sys_admin;
+
+###
+### Neverallow rules
+###
 neverallow { domain -bpfloader } *:bpf prog_load;
 neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
 neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
@@ -27,4 +31,5 @@
 # only system_server, netd and bpfloader can read/write the bpf maps
 neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
 
-dontaudit bpfloader self:global_capability_class_set sys_admin;
+# No domain should be allowed to ptrace bpfloader
+neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;

private/crash_dump.te

diff --git a/private/crash_dump.te b/private/crash_dump.te
index aabff29..831ff04 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,6 +17,13 @@
   allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
 ')
 
+###
+### neverallow assertions
+###
+
+# ptrace neverallow assertions are spread throughout the other policy
+# files, so we avoid adding redundant assertions here
+
 neverallow crash_dump {
   bpfloader
   init
@@ -29,6 +36,6 @@
   ueventd
   vendor_init
   vold
-}:process { ptrace signal sigstop sigkill };
+}:process { signal sigstop sigkill };
 
 neverallow crash_dump self:process ptrace;

private/llkd.te

diff --git a/private/llkd.te b/private/llkd.te
index 73e3f58..900d403 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -22,9 +22,12 @@
 userdebug_or_eng(`
   allow llkd {
     domain
+    -kernel
     -keystore
     -init
     -llkd
+    -ueventd
+    -vendor_init
   }:process ptrace;
 ')