Merge "Grant lockdown integrity to all processes" into main am: 1fc3a6f955

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2971071

Change-Id: I21f3e67d0b697a532f65e4e21b8a193accca521a
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
 userdebug_or_eng(`
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
-  # The use of debugfs kcov is considered a breach of the kernel integrity
-  # according to the heuristic of lockdown.
-  allow untrusted_app_all self:lockdown integrity;
 ')
 
 # Allow running a VM for test/demo purposes. Note that access to the
diff --git a/public/domain.te b/public/domain.te
index 755b4b2..996a149 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -259,13 +259,14 @@
 allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
 
 # Filesystem access.
 allow domain fs_type:filesystem getattr;
@@ -1310,6 +1311,3 @@
 } ashmem_device:chr_file open;
 
 neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;