llkd: Add stack symbol checking
llkd needs the ptrace capabilities and dac override to monitor for
live lock conditions on the stack dumps.
Test: compile
Bug: 33808187
Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index fb8cde1..41979af 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -76,10 +76,11 @@
incident_helper
incident_helper_exec
kmsg_debug_device
+ last_boot_reason_prop
llkd
llkd_exec
+ llkd_prop
llkd_tmpfs
- last_boot_reason_prop
lowpan_device
lowpan_prop
lowpan_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 4e95303..278d605 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -69,6 +69,7 @@
last_boot_reason_prop
llkd
llkd_exec
+ llkd_prop
llkd_tmpfs
lowpan_device
lowpan_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index c64e341..6a79c75 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -14,6 +14,7 @@
hal_system_suspend_default_tmpfs
llkd
llkd_exec
+ llkd_prop
llkd_tmpfs
mnt_product_file
overlayfs_file
diff --git a/private/crash_dump.te b/private/crash_dump.te
index a50740e..aabff29 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -7,17 +7,23 @@
-init
-kernel
-keystore
+ -llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
+userdebug_or_eng(`
+ allow crash_dump { llkd logd }:process { ptrace signal sigchld sigstop sigkill };
+')
neverallow crash_dump {
bpfloader
init
kernel
keystore
+ llkd
+ userdebug_or_eng(`-llkd')
logd
userdebug_or_eng(`-logd')
ueventd
diff --git a/private/domain.te b/private/domain.te
index 1ae31ae..5c6fec8 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -8,6 +8,7 @@
neverallow {
domain
-vold
+ userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
-storaged
diff --git a/private/llkd.te b/private/llkd.te
index 54c6d04..73e3f58 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -3,7 +3,13 @@
init_daemon_domain(llkd)
+get_prop(llkd, llkd_prop)
+
allow llkd self:global_capability_class_set kill;
+userdebug_or_eng(`
+ allow llkd self:global_capability_class_set sys_ptrace;
+ allow llkd self:global_capability_class_set dac_override;
+')
# llkd optionally locks itself in memory, to prevent it from being
# swapped out and unable to discover a kernel in live-lock state.
@@ -12,6 +18,16 @@
# Send kill signals to _anyone_ suffering from Live Lock
allow llkd domain:process sigkill;
+# read stack to check for Live Lock
+userdebug_or_eng(`
+ allow llkd {
+ domain
+ -keystore
+ -init
+ -llkd
+ }:process ptrace;
+')
+
# live lock watchdog process allowed to look through /proc/
allow llkd domain:dir r_dir_perms;
allow llkd domain:file r_file_perms;
@@ -27,6 +43,7 @@
### neverallow rules
neverallow { domain -init } llkd:process { dyntransition transition };
+neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
# never honor LD_PRELOAD
neverallow * llkd:process noatsecure;
diff --git a/private/property_contexts b/private/property_contexts
index 2726d84..b0f8653 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -34,6 +34,10 @@
debug.db. u:object_r:debuggerd_prop:s0
dumpstate. u:object_r:dumpstate_prop:s0
dumpstate.options u:object_r:dumpstate_options_prop:s0
+llk. u:object_r:llkd_prop:s0
+khungtask. u:object_r:llkd_prop:s0
+ro.llk. u:object_r:llkd_prop:s0
+ro.khungtask. u:object_r:llkd_prop:s0
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
diff --git a/public/app.te b/public/app.te
index 40a0a00..932116e 100644
--- a/public/app.te
+++ b/public/app.te
@@ -412,9 +412,15 @@
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
+# produce stack traces. llkd is excluded, as it needs ptrace access to
+# inspect stack traces for live lock conditions.
-neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+neverallow {
+ domain
+ -appdomain
+ -crash_dump
+ userdebug_or_eng(`-llkd')
+} appdomain:process ptrace;
# Read or write access to /proc/pid entries for any non-app domain.
# A different form of hidepid=2 like protections
diff --git a/public/domain.te b/public/domain.te
index 5e43db9..a865bd8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1382,6 +1382,7 @@
-init
-installd
-install_recovery
+ userdebug_or_eng(`-llkd')
-lmkd
-netd
-perfprofd
diff --git a/public/logd.te b/public/logd.te
index b5112b0..91ef545 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -52,7 +52,7 @@
neverallow logd domain:process ptrace;
# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
# Write to /system.
neverallow logd system_file:dir_file_class_set write;
diff --git a/public/property.te b/public/property.te
index 7e6c939..eb1fef8 100644
--- a/public/property.te
+++ b/public/property.te
@@ -36,6 +36,7 @@
type hwservicemanager_prop, property_type;
type last_boot_reason_prop, property_type;
type system_lmk_prop, property_type;
+type llkd_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
diff --git a/public/te_macros b/public/te_macros
index a03bfe9..def7b46 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -182,8 +182,9 @@
# of application data and execution state. Ptrace bypasses those
# confidentiality guarantees. Disallow ptrace access from system components
# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces.
-neverallow { domain -$1 -crash_dump } $1:process ptrace;
+# produce stack traces. llkd is excluded, as it needs to inspect
+# the kernel stack for live lock conditions.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
')
#####################################