Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 79ad97a41f3aec81eeefcfe35fb40da08cf760e2^1..79ad97a41f3aec81eeefcfe35fb40da08cf760e2 / .
commit79ad97a41f3aec81eeefcfe35fb40da08cf760e2[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Mon Feb 26 01:14:14 2024 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Mon Feb 26 01:14:14 2024 +0000
treefae5b2b26c336385882dac53a3bc32df75ce41ee
parentb3b5486f3f9b0c239802964896897b348c457e24 [diff]
parent66bb61744702990b5319c1c7526270ce8ad47e6b [diff]
Merge "Grant lockdown integrity to all processes" into main am: 1fc3a6f955 am: 66bb617447

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2971071

Change-Id: I882e3ac1489a106c581801ea16219b3cff83faaf
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -161,9 +161,6 @@
 userdebug_or_eng(`
   allow untrusted_app_all debugfs_kcov:file rw_file_perms;
   allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
-  # The use of debugfs kcov is considered a breach of the kernel integrity
-  # according to the heuristic of lockdown.
-  allow untrusted_app_all self:lockdown integrity;
 ')
 
 # Allow running a VM for test/demo purposes. Note that access to the

diff --git a/public/domain.te b/public/domain.te
index 755b4b2..996a149 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -259,13 +259,14 @@
 allow domain debugfs_tracing_debug:dir search;
 allow domain debugfs_trace_marker:file w_file_perms;
 
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
 
 # Filesystem access.
 allow domain fs_type:filesystem getattr;
@@ -1310,6 +1311,3 @@
 } ashmem_device:chr_file open;
 
 neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;