Grant lockdown integrity to all processes
The default policy for the "lockdown" access vector on Android was
introduced in commit bcfca1a6. While the "confidentiality" permission
was granted to all processes, the "integrity" was marked as
neverallowed.
Upstream, the support for that access vector was removed from kernel
5.16 onwards.
It was found that the "integrity" permission either does not apply to
Android or duplicates other access control (e.g., capabilities
sys_admin).
Instead of simply removing the neverallow rule, the access is granted to
all processes. This will prevent the proliferation of references to this
access vector in vendors' policies and ultimately facilitate its
removal.
Test: presubmit
Bug: 285443587
Bug: 269377822
Bug: 319390252
Change-Id: If2ad34fbbf2c0d29ac54ab5d1be430623f86f1f7
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f666cc8..c646137 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -161,9 +161,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access to the
diff --git a/public/domain.te b/public/domain.te
index 755b4b2..996a149 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -259,13 +259,14 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
+# Linux lockdown mode offered coarse-grained definitions for access controls. In
+# previous versions of the policy, the integrity permission was neverallowed.
+# It was found that this permission mainly duplicates pre-existing rules in
+# the policy (see b/285443587). Additionally, some access were found to be
+# required (b/269377822). The access vector was removed from kernel 5.16
+# onwards. Grant unconditional access, these rules should be removed from the
+# policy once no kernel <5.16 are supported.
+allow domain self:lockdown { confidentiality integrity };
# Filesystem access.
allow domain fs_type:filesystem getattr;
@@ -1310,6 +1311,3 @@
} ashmem_device:chr_file open;
neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;