Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4cd099463ee2eefef4f3a745f3491461c8d1badd^! / . / private / traced_probes.te
commit4cd099463ee2eefef4f3a745f3491461c8d1badd[log] [tgz]
authorRyan Savitski <rsavitski@google.com>Fri Dec 13 20:36:44 2024 +0000
committerRyan Savitski <rsavitski@google.com>Fri Dec 13 12:39:39 2024 -0800
treeb17f6a185dae7124ab809f0d8c8eacfe84e29833
parent43ce26ab2b26e2c7fdd20a5879e5b848d5188f4b [diff] [blame]
sepolicy: allow init to share a kallsyms fd with tracing daemons

See r.android.com/3408241 for context.

The new order of operations in init:
1) open /proc/kallsyms while it is allowed to see the raw addresses,
   which becomes a property of that fd. The fd is retained.
2) Raise kptr_restrict to 2, masking out addresses for all future opens
   of /proc/kallsyms, including by init itself. This happens before
   the "early-init" stage.
3) Share duplicates of the original saved fd with tracing daemons when
   they're started.

The two daemons are still allowed to open their own copies of
/proc/kallsyms to facilitate file locks to coordinate access to the
shared fd (which cannot be used for locking as all processes will share
the lock as well). These opens are harmless since they couldn't give
more info than the fd shared by init (and in practice, the addresses
will be masked out due to kptr_restrict=2).

I've removed the neverallow exclusion for vendor_init since I believe
there wasn't a concrete use-case when it was first added, and it does
not participate in this new fd sharing.

Bug: 383513654
Change-Id: Ie2ab26da6186524bc77cd99bb55a61cef4a7ddf4

diff --git a/private/traced_probes.te b/private/traced_probes.te
index 6540420..78dc7eb 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te

@@ -35,10 +35,13 @@
 # Allow procfs access
 r_dir_file(traced_probes, domain)
 
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
+# For kernel address symbolisation. Allow reading from /proc/kallsyms inherited
+# from init, as well as separately opening and locking the file for
+# coordinating the use of that shared fd.
+# On debuggable builds, allow using lower_kptr_restrict_prop to temporarily
+# lift kptr_restrict systemwide.
 userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
+allow traced_probes proc_kallsyms:file { open read lock };
 
 # Allow to read packages.list file.
 allow traced_probes packages_list_file:file r_file_perms;