Add SELinux Policy For io_uring
Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0579740..5d5723e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -266,7 +266,6 @@
-mediaprovider_app
} { userdebug_or_eng_prop }:file read;
-
# Do not allow untrusted app to access /dev/socket/mdnsd since U. The socket is
# used to communicate to the mdnsd responder. The mdnsd responder will be
# replaced by a java implementation which is integrated into the system server.
@@ -288,3 +287,9 @@
-untrusted_app_30
-untrusted_app_32
} mdnsd:unix_stream_socket connectto;
+
+# Do not allow untrusted apps to use anonymous inodes. At the moment,
+# type transitions are the only way to distinguish between different
+# anon_inode usages like userfaultfd and io_uring. This prevents us from
+# creating a more fine-grained neverallow policy for each anon_inode usage.
+neverallow all_untrusted_apps domain:anon_inode *;
diff --git a/private/fastbootd.te b/private/fastbootd.te
index d93ee42..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -50,7 +50,7 @@
hal_client_domain(fastbootd, hal_fastboot)
')
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)
diff --git a/private/security_classes b/private/security_classes
index 0d3cc80..99f947f 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -142,6 +142,8 @@
class perf_event
+class io_uring
+
# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
class lockdown
diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2f2d3e7..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,8 +8,6 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
-allow snapuserd self:capability ipc_lock;
-
# Allow snapuserd to reach block devices in /dev/block.
allow snapuserd block_device:dir search;
@@ -54,9 +52,12 @@
-init
} snapuserd_prop:property_service set;
-allow snapuserd self:anon_inode create_file_perms;
-
# Allow to read/write/create OTA metadata files
allow snapuserd metadata_file:dir search;
allow snapuserd ota_metadata_file:dir rw_dir_perms;
allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)
diff --git a/public/te_macros b/public/te_macros
index 11041b6..ad86a19 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,8 +176,6 @@
dontaudit su $1_userfaultfd:anon_inode *;
# Other domains may not use userfaultfd anon_inodes created by this domain.
neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
')
####################################
@@ -1043,3 +1041,21 @@
allow $1 apex_mnt_dir:dir r_dir_perms;
allow $1 apex_info_file:file r_file_perms;
')
+
+####################################
+# io_uring_use(domain)
+# Allow domain to create/use io_uring.
+define(`io_uring_use', `
+# Set up a type_transition to "io_uring" named anonymous inode object.
+type $1_iouring;
+type_transition $1 $1:anon_inode $1_iouring "[io_uring]";
+# Allow domain to create/use io_uring anon_inode.
+allow $1 $1_iouring:anon_inode { create map read write };
+allow $1 self:io_uring sqpoll;
+# Other domains may not use iouring anon_inodes created by this domain.
+neverallow { domain -$1 } $1_iouring:anon_inode *;
+# io_uring checks for CAP_IPC_LOCK to determine whether or not to track
+# memory usage per uid against RLIMIT_MEMLOCK. This can lead folks to
+# grant CAP_IPC_LOCK to silence avc denials, which is undesireable.
+dontaudit $1 self:global_capability_class_set ipc_lock;
+')