android_system_sepolicy/private/boringssl_self_test.te

type boringssl_self_test, domain, coredomain;
type boringssl_self_test_exec, system_file_type, exec_type, file_type;
type boringssl_self_test_marker, file_type;

# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.
init_daemon_domain(boringssl_self_test)

# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker
# files.
allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;
allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;

# No other process should be able to create these files because their existence causes the
# boringssl self test to be skipped.
neverallow {
  domain
  -boringssl_self_test
  -init
  -vendor_init
} boringssl_self_test_marker:file no_rw_file_perms;

neverallow {
  domain
  -boringssl_self_test
  -init
  -vendor_init
} boringssl_self_test_marker:dir write;
Tweak boringssl_self_test.te Include coredomain in initial definition of boringssl_self_test rather than adding it later. This addresses an outstanding review comment from http://r.android.com/1110523 Test: Treehugger Bug: 137267623 Change-Id: I4e8d4e2e76b1c3a9b5a1f806e43e885b51cb7a60 2019-09-07 16:52:15 -07:00			`type boringssl_self_test, domain, coredomain;`
SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f 2019-08-28 14:08:50 -07:00			`type boringssl_self_test_exec, system_file_type, exec_type, file_type;`
			`type boringssl_self_test_marker, file_type;`

			`# switch to boringssl_self_test security domain when running boringssl_self_test_exec from init.`
			`init_daemon_domain(boringssl_self_test)`

			`# Allow boringssl_self_test binaries to create/check for the existence of boringssl_self_test_marker`
			`# files.`
			`allow boringssl_self_test boringssl_self_test_marker:file create_file_perms;`
			`allow boringssl_self_test boringssl_self_test_marker:dir ra_dir_perms;`

			`# No other process should be able to create these files because their existence causes the`
			`# boringssl self test to be skipped.`
			`neverallow {`
			`domain`
			`-boringssl_self_test`
			`-init`
			`-vendor_init`
			`} boringssl_self_test_marker:file no_rw_file_perms;`
SEPolicy: dontaudit attempts to create marker files. Binaries other than boringssl_self_test_exec are not allowed to create marker files /dev/boringssl/selftest/[hash]. Right now, some processes still attempt to because: - Some binaries run so early during early-init that boringssl_self_test{32,64} hasn't had a chance to run yet, so the marker file doesn't exist yet, so the unprivileged process attempts to create it. - Some binaries statically link libcrypto so their [hash] is different from that used by boringssl_self_test{32,64}. There's some ongoing work to stop those binaries even attempting to create the marker files but it's not a big deal if they do. Similarly, there is ongoing work to minimize or eliminate static linking of this library. For now, this CL turns off audit logs for this behavior since it is harmless (a cosmetic issue) and in order to not hold up the bulk of the logic being submitted. Bug: 137267623 Test: Treehugger Change-Id: I3de664c5959efd130f761764fe63515795ea9b98 2019-09-11 11:11:46 -07:00
			`neverallow {`
			`domain`
			`-boringssl_self_test`
			`-init`
			`-vendor_init`
			`} boringssl_self_test_marker:dir write;`