Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 214294ce75b41cff0add4da858f8fb9d23719eb8^! / . / private / fastbootd.te
commit214294ce75b41cff0add4da858f8fb9d23719eb8[log] [tgz]
authorGil Cukierman <cukie@google.com>Mon Nov 14 17:06:36 2022 -0500
committerGil Cukierman <cukie@google.com>Fri Jan 27 11:44:59 2023 -0500
tree465326c47125927e50be62454d7d409a19121944
parent7e754a1c5631f98b53064e4edd27d6439f9b7609 [diff] [blame]
Add SELinux Policy For io_uring

Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.

In more detail, this change:

* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.

* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].

* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.

This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.

[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/

Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)

Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f

diff --git a/private/fastbootd.te b/private/fastbootd.te
index d93ee42..7dc1741 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te

@@ -50,7 +50,7 @@
   hal_client_domain(fastbootd, hal_fastboot)
 ')
 
-# io_uring_setup needs ipc_lock and permission to operate anon inodes
+# This capability allows fastbootd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the fastbootd service.
 allow fastbootd self:capability ipc_lock;
-
-allow fastbootd self:anon_inode create_file_perms;
+io_uring_use(fastbootd)