commit d60a38b02e9d44365399d1f97719f32cf4587a5c
author Kalesh Singh <kaleshsingh@google.com> Fri May 24 11:37:23 2024 -0700
committer Inseob Kim <inseob@google.com> Tue May 28 00:30:31 2024 +0000
tree fe4dc939243e6b67c48f74a843de4849a7142ef9
parent 42598a96baead53681c5178981ac5650e66dbde9

microdroid: Add rules for /sys/kernel/mm/pgsize_migration/enabled

The dynamic linker needs to read this node to determine how it should
load ELF files. See page_size_migration_supported() [1]

Allow the node to be enabled/disabled by init.

[1] https://cs.android.com/android/platform/superproject/main/+/3d5e32517bbf56e9c69e3133a1b849b97cd6aa1d:bionic/linker/linker_phdr.cpp;l=709-721

Bug: 342520142
Bug: 330117029
Bug: 327600007
Bug: 330767927
Bug: 328266487
Bug: 329803029
Test: no avc deined in logcat
Change-Id: I91381e36943ea0387ff245e924ddab53a4928a05
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>

microdroid/system/private/domain.te

diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 118425a..7361462 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -200,6 +200,10 @@
 allow domain apex_mnt_dir:dir { getattr search };
 allow domain apex_mnt_dir:lnk_file r_file_perms;
 
+# Allow reading /sys/kernel/mm/pgsize_migration/enabled
+allow domain sysfs_pgsize_migration:dir search;
+allow domain sysfs_pgsize_migration:file r_file_perms;
+
 # globally readable properties
 get_prop(domain, arm64_memtag_prop)
 get_prop(domain, bootloader_prop)
@@ -545,3 +549,7 @@
 
 # Only crash_dump is allowed to access ptrace
 neverallow { domain -crash_dump } domain:process ptrace;
+
+# Only init is allowed to write sysfs_pgsize_migration;
+# ueventd needs write access to all sysfs files.
+neverallow { domain -init -vendor_init -ueventd } sysfs_pgsize_migration:file no_w_file_perms;

microdroid/system/private/file.te

diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index e250c35..82a5564 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -30,3 +30,7 @@
 
 # /data/misc/perfetto-configs for perfetto configs
 type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
+
+
+# Type for /sys/kernel/mm/pgsize_migration/enabled
+type sysfs_pgsize_migration, fs_type, sysfs_type;

microdroid/system/private/genfs_contexts

diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 13ce685..8938ef2 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -159,6 +159,7 @@
 genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
 genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
 genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
+genfscon sysfs /kernel/mm/pgsize_migration/enabled u:object_r:sysfs_pgsize_migration:s0
 genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
 genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
 genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0

microdroid/system/private/init.te

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 4441d12..67af209 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -303,6 +303,7 @@
   sysfs_power
   sysfs_fs_f2fs
   sysfs_dm
+  sysfs_pgsize_migration
 }:file w_file_perms;
 
 allow init {