Add SELinux Policy For io_uring
Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.
In more detail, this change:
* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.
* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].
* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.
This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/
Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)
Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f
diff --git a/private/access_vectors b/private/access_vectors
index 6cd8c4e..adb3a61 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -789,3 +789,10 @@
integrity
confidentiality
}
+
+class io_uring
+{
+ override_creds
+ sqpoll
+ cmd
+}