system_server: replace sys_resource with sys_ptrace
Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.
Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.
Add a neverallow rule to prevent system_server from using this
capability to ptrace attach to any other process. This limits the
capability of system_server to only reading sensitive /proc files, but
not ptrace() access.
Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
diff --git a/private/system_server.te b/private/system_server.te
index cba1ab3..4c44d9d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -68,16 +68,13 @@
net_raw
sys_boot
sys_nice
- sys_resource
+ sys_ptrace
sys_time
sys_tty_config
};
wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
-
# Trigger module auto-load.
allow system_server kernel:system module_request;
@@ -696,3 +693,11 @@
# dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;