Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 214294ce75b41cff0add4da858f8fb9d23719eb8^! / . / private / snapuserd.te
commit214294ce75b41cff0add4da858f8fb9d23719eb8[log] [tgz]
authorGil Cukierman <cukie@google.com>Mon Nov 14 17:06:36 2022 -0500
committerGil Cukierman <cukie@google.com>Fri Jan 27 11:44:59 2023 -0500
tree465326c47125927e50be62454d7d409a19121944
parent7e754a1c5631f98b53064e4edd27d6439f9b7609 [diff] [blame]
Add SELinux Policy For io_uring

Brings in the io_uring class and associated restrictions and adds a new
macro, `io_uring_use`, to sepolicy.

In more detail, this change:

* Adds a new macro expands to ensure the domain it is passed can undergo a
type transition to a new type, `<domain>_iouring`, when the anon_inode
being accessed is labeled `[io_uring]`. It also allows the domain to
create, read, write, and map the io_uring anon_inode.

* Adds the ability for a domain to use the `IORING_SETUP_SQPOLL` flag
during `io_uring_setup` so that a syscall to `io_uring_enter` is not
required by the caller each time it wishes to submit IO. This can be
enabled securely as long as we don't enable sharing of io_uring file
descriptors across domains. The kernel polling thread created by `SQPOLL`
will inherit the credentials of the thread that created the io_uring [1].

* Removes the selinux policy that restricted all domains that make use of
the `userfault_fd` macro from any `anon_inode` created by another domain.
This is overly restrictive, as it prohibits the use of two different
`anon_inode` use cases in a single domain e.g. userfaultfd and io_uring.

This change also replaces existing sepolicy in fastbootd and snapuserd
that enabled the use of io_uring.

[1] https://patchwork.kernel.org/project/linux-security-module/patch/163159041500.470089.11310853524829799938.stgit@olly/

Bug: 253385258
Test: m selinux_policy
Test: cd external/liburing; mm; atest liburing_test; # requires WIP CL ag/20291423
Test: Manually deliver OTAs (built with m dist) to a recent Pixel device
and ensure snapuserd functions correctly (no io_uring failures)

Change-Id: I96f38760b3df64a1d33dcd6e5905445ccb125d3f

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2f2d3e7..797a6c2 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -8,8 +8,6 @@
 
 allow snapuserd kmsg_device:chr_file rw_file_perms;
 
-allow snapuserd self:capability ipc_lock;
-
 # Allow snapuserd to reach block devices in /dev/block.
 allow snapuserd block_device:dir search;
 
@@ -54,9 +52,12 @@
   -init
 } snapuserd_prop:property_service set;
 
-allow snapuserd self:anon_inode create_file_perms;
-
 # Allow to read/write/create OTA metadata files
 allow snapuserd metadata_file:dir search;
 allow snapuserd ota_metadata_file:dir rw_dir_perms;
 allow snapuserd ota_metadata_file:file create_file_perms;
+
+# This capability allows snapuserd to circumvent memlock rlimits while using
+# io_uring. An Alternative would be to up the memlock rlimit for the snapuserd service.
+allow snapuserd self:capability ipc_lock;
+io_uring_use(snapuserd)