SEPolicy changes to allow kcov access in userdebug.
This includes the SELinux policy changes to allow for
kcov access in userdebug builds for coverage-guided
kernel fuzzing.
Bug: 117990869
Test: Ran syzkaller with Android untrusted_app sandbox with coverage.
Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 7936147..16ae1a0 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -19,7 +19,8 @@
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
+neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;
# Do not allow untrusted apps to register services.
# Only trusted components of Android should be registering
diff --git a/private/file.te b/private/file.te
index 8d18a90..fd1c2ee 100644
--- a/private/file.te
+++ b/private/file.te
@@ -9,3 +9,7 @@
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
+type debugfs_kcov, fs_type, debugfs_type;
+
diff --git a/private/genfs_contexts b/private/genfs_contexts
index f87c086..ca13998 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -252,6 +252,9 @@
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
+
+
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
genfscon exfat / u:object_r:exfat:s0
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 527216d..72e03e1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -140,3 +140,10 @@
# the ACTION_USER_UNLOCKED intent is delivered. Suppress this
# denial to prevent third party apps from spamming the logs.
dontaudit untrusted_app_all system_data_file:dir write;
+
+# Allow access to kcov via its ioctl interface for coverage
+# guided kernel fuzzing.
+userdebug_or_eng(`
+ allow untrusted_app_all debugfs_kcov:file rw_file_perms;
+ allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+')
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 97869f9..ab2f7c5 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -1169,6 +1169,9 @@
define(`JSIOCSAXMAP', `0x40406a31')
define(`JSIOCSBTNMAP', `0x44006a33')
define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
define(`KDADDIO', `0x00004b34')
define(`KDDELIO', `0x00004b35')
define(`KDDISABIO', `0x00004b37')