Merge "Allow access to trace_data_file from untrusted_app context"
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 8974a1d..0c0ef41 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -6,6 +6,10 @@
# allow domain transition from init
init_daemon_domain(apkdmverity)
+# apkdmverity is using bootstrap bionic
+allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
+allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
+
# apkdmverity accesses "payload metadata disk" which points to
# a /dev/vd* block device file.
allow apkdmverity block_device:dir r_dir_perms;
@@ -20,6 +24,9 @@
# allow apkdmverity to create loop devices with /dev/loop-control
allow apkdmverity loop_control_device:chr_file rw_file_perms;
+# allow apkdmverity to read the roothash passed from microdroid_manager
+get_prop(apkdmverity, microdroid_manager_roothash_prop)
+
# allow apkdmverity to access loop devices
allow apkdmverity loop_device:blk_file rw_file_perms;
allowxperm apkdmverity loop_device:blk_file ioctl {
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index a3dfb27..ac5ad6c 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -218,9 +218,13 @@
allow domain self:global_capability_class_set audit_control;
allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-# workaround for supressing property accesses.
-# TODO: remove these
-set_prop(domain, property_type -vmsecret_keymint_prop)
+# workaround for suppressing property accesses.
+# TODO(b/199007910): remove these
+set_prop(domain, {
+ property_type
+ -vmsecret_keymint_prop
+ -microdroid_manager_roothash_prop
+})
# auditallow { domain -init } property_type:property_service set;
# auditallow { domain -init } property_type:file rw_file_perms;
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 893469c..f1d3140 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -44,4 +44,14 @@
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
+# Allow microdroid_manager to start the services apkdmverity and zipfuse
+set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_zipfuse_prop)
+
+# Allow microdroid_manager to wait for linkerconfig to be ready
+get_prop(microdroid_manager, apex_config_prop)
+
+# Allow microdroid_manager to pass the roothash to apkdmverity
+set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index d3d413e..58942b6 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -14,3 +14,18 @@
-microdroid_manager
-hal_keymint_server
} vmsecret_keymint_prop:file no_rw_file_perms;
+
+# microdroid_manager_roothash_prop can only be set by microdroid_manager
+# and read by apkdmverity
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+} microdroid_manager_roothash_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -microdroid_manager
+ -apkdmverity
+} microdroid_manager_roothash_prop:file no_rw_file_perms;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 61cd68d..f2ce09a 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -21,6 +21,9 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
@@ -97,3 +100,7 @@
ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
+
+apex_config.done u:object_r:apex_config_prop:s0 exact bool
+
+microdroid_manager.apk_roothash u:object_r:microdroid_manager_roothash_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index f5dc758..577353a 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -5,6 +5,7 @@
type cold_boot_done_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_apexd_prop, property_type;
+type ctl_apkdmverity_prop, property_type;
type ctl_console_prop, property_type;
type ctl_default_prop, property_type;
type ctl_fuse_prop, property_type;
@@ -15,6 +16,7 @@
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;
+type ctl_zipfuse_prop, property_type;
type debug_prop, property_type;
type default_prop, property_type;
type exported_default_prop, property_type;
@@ -31,6 +33,8 @@
type usb_control_prop, property_type;
type vendor_default_prop, property_type;
type vmsecret_keymint_prop, property_type;
+type apex_config_prop, property_type;
+type microdroid_manager_roothash_prop, property_type;
allow property_type tmpfs:filesystem associate;
diff --git a/private/simpleperf.te b/private/simpleperf.te
index 9c70060..0639c11 100644
--- a/private/simpleperf.te
+++ b/private/simpleperf.te
@@ -5,16 +5,7 @@
typeattribute simpleperf coredomain;
type simpleperf_exec, system_file_type, exec_type, file_type;
-# Define apps that can be marked debuggable/profileable and be profiled by simpleperf.
-define(`simpleperf_profileable_apps', `{
- ephemeral_app
- isolated_app
- platform_app
- priv_app
- untrusted_app_all
-}')
-
-domain_auto_trans({ simpleperf_profileable_apps -runas_app }, simpleperf_exec, simpleperf)
+domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
# When running in this domain, simpleperf is scoped to profiling an individual
# app. The necessary MAC permissions for profiling are more maintainable and
@@ -25,19 +16,14 @@
# Allow ptrace attach to the target app, for reading JIT debug info (using
# process_vm_readv) during unwinding and symbolization.
-allow simpleperf simpleperf_profileable_apps:process ptrace;
+allow simpleperf untrusted_app_all:process ptrace;
# Allow using perf_event_open syscall for profiling the target app.
allow simpleperf self:perf_event { open read write kernel };
# Allow /proc/<pid> access for the target app (for example, when trying to
# discover it by cmdline).
-r_dir_file(simpleperf, simpleperf_profileable_apps)
-
-# Allow apps signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow simpleperf_profileable_apps simpleperf:process signal;
+r_dir_file(simpleperf, untrusted_app_all)
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
diff --git a/private/simpleperf_app_runner.te b/private/simpleperf_app_runner.te
index 184a80a..17fd8cd 100644
--- a/private/simpleperf_app_runner.te
+++ b/private/simpleperf_app_runner.te
@@ -21,7 +21,7 @@
# simpleperf_app_runner switches to the app security context.
selinux_check_context(simpleperf_app_runner) # validate context
allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner { ephemeral_app isolated_app platform_app priv_app untrusted_app_all }:process dyntransition; # setcon
+allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index dec92f8..0128dfe 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -171,6 +171,11 @@
allow untrusted_app_all self:lockdown integrity;
')
+# Allow signalling simpleperf domain, which is the domain that the simpleperf
+# profiler runs as when executed by the app. The signals are used to control
+# the profiler (which would be profiling the app that is sending the signal).
+allow untrusted_app_all simpleperf:process signal;
+
# Allow running a VM for test/demo purposes
userdebug_or_eng(`
virtualizationservice_use(untrusted_app_all)