commit f46d7a26c19d87e0d39de9504bc6e6ad6fb1aedb
author Marco Ballesio <balejs@google.com> Wed Nov 25 14:02:56 2020 -0800
committer Marco Ballesio <balejs@google.com> Mon Nov 30 11:46:14 2020 -0800
tree 0295316918f3c18962b3b4ba966f56c71967705a
parent aff923a4697b2109b8a887d5db1fc3be7c5c3c5d

sepolicy: rules for uid/pid cgroups v2 hierarchy

the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy
rules. For this reason, old rules have to be duplicated to cgroup_v2,
plus some rules must be added to allow the ownership change for cgroup
files created by init and zygote.

Test: booted device, verified correct access from init, system_server
and zygote to the uid/pid cgroup files

Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809

private/app_neverallows.te

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index e9e2f42..096a41b 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -223,6 +223,7 @@
 
 # Untrusted apps are not allowed to use cgroups.
 neverallow all_untrusted_apps cgroup:file *;
+neverallow all_untrusted_apps cgroup_v2:file *;
 
 # /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
 # must not use it.

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 84fa107..d996007 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -54,6 +54,10 @@
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
 allow { domain -appdomain -rs } cgroup:file w_file_perms;
 
+allow domain cgroup_v2:dir search;
+allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
+allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
+
 allow domain cgroup_rc_file:dir search;
 allow domain cgroup_rc_file:file r_file_perms;
 allow domain task_profiles_file:file r_file_perms;

private/logpersist.te

diff --git a/private/logpersist.te b/private/logpersist.te
index ac324df..ab2c9c6 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,6 +4,7 @@
 userdebug_or_eng(`
 
   r_dir_file(logpersist, cgroup)
+  r_dir_file(logpersist, cgroup_v2)
 
   allow logpersist misc_logd_file:file create_file_perms;
   allow logpersist misc_logd_file:dir rw_dir_perms;

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index 07ed6c7..adf66f1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -213,6 +213,7 @@
 
 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
+neverallow priv_app cgroup_v2:file *;
 
 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 37601b9..8549bd5 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -100,6 +100,7 @@
 allow surfaceflinger self:global_capability_class_set sys_nice;
 allow surfaceflinger proc_meminfo:file r_file_perms;
 r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, cgroup_v2)
 r_dir_file(surfaceflinger, system_file)
 allow surfaceflinger tmpfs:dir r_dir_perms;
 allow surfaceflinger system_server:fd use;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 53c31c2..a8434a8 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -152,6 +152,7 @@
 
 # Settings app writes to /dev/stune/foreground/tasks.
 allow system_app cgroup:file w_file_perms;
+allow system_app cgroup_v2:file w_file_perms;
 
 control_logd(system_app)
 read_runtime_log_tags(system_app)

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index 78abdff..9406384 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -839,6 +839,7 @@
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
+allow system_server cgroup_v2:dir { remove_name rmdir };
 
 # /oem access
 r_dir_file(system_server, oemfs)
@@ -917,9 +918,8 @@
 allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
 
 r_dir_file(system_server, cgroup)
+r_dir_file(system_server, cgroup_v2)
 allow system_server ion_device:chr_file r_file_perms;
-allow system_server cgroup_v2:dir rw_dir_perms;
-allow system_server cgroup_v2:file rw_file_perms;
 
 # Access to /dev/dma_heap/system
 allow system_server dmabuf_system_heap_device:chr_file r_file_perms;

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index d3d08bf..722b33d 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -101,6 +101,8 @@
 # Control cgroups.
 allow zygote cgroup:dir create_dir_perms;
 allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote cgroup_v2:dir create_dir_perms;
+allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
 allow zygote self:global_capability_class_set sys_admin;
 
 # Allow zygote to stat the files that it opens. The zygote must
@@ -183,7 +185,10 @@
 get_prop(zygote, device_config_window_manager_native_boot_prop)
 
 # ingore spurious denials
-dontaudit zygote self:global_capability_class_set sys_resource;
+# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
+# done to determine if the file should inherit setgid. In this case, setgid on the file is
+# undesirable, so suppress the denial.
+dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
 
 # Ignore spurious denials calling access() on fuse
 # TODO(b/151316657): avoid the denials