SEPolicy changes to allow kcov access in userdebug.

This includes the SELinux policy changes to allow for kcov access in userdebug builds for coverage-guided kernel fuzzing. Bug: 117990869 Test: Ran syzkaller with Android untrusted_app sandbox with coverage. Change-Id: I1fcaad447c7cdc2a3360383b5dcd76e8a0f93f09
2018-11-29 10:37:18 -08:00 · 2018-11-29 10:37:18 -08:00 · 55d9096652
commit 55d9096652
parent 9cded32f6a
5 changed files with 19 additions and 1 deletions
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@ -19,7 +19,8 @@ neverallow all_untrusted_apps domain:netlink_socket *;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps debugfs_type:file read;
+neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
+neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:file read;

 # Do not allow untrusted apps to register services.
 # Only trusted components of Android should be registering
--- a/private/file.te
+++ b/private/file.te
@ -9,3 +9,7 @@ type wm_trace_data_file, file_type, data_file_type, core_data_file_type;

 # /data/misc/perfetto-traces for perfetto traces
 type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
+
+# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
+type debugfs_kcov, fs_type, debugfs_type;
+
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -252,6 +252,9 @@ genfscon debugfs /tracing/events/lowmemorykiller/
 genfscon debugfs /tracing/events/sync/                                           u:object_r:debugfs_tracing:s0
 genfscon debugfs /tracing/events/fence/                                          u:object_r:debugfs_tracing:s0

+genfscon debugfs /kcov								 u:object_r:debugfs_kcov:s0
+
+
 genfscon inotifyfs / u:object_r:inotify:s0
 genfscon vfat / u:object_r:vfat:s0
 genfscon exfat / u:object_r:exfat:s0
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@ -140,3 +140,10 @@ create_pty(untrusted_app_all)
 # the ACTION_USER_UNLOCKED intent is delivered. Suppress this
 # denial to prevent third party apps from spamming the logs.
 dontaudit untrusted_app_all system_data_file:dir write;
+
+# Allow access to kcov via its ioctl interface for coverage
+# guided kernel fuzzing.
+userdebug_or_eng(`
+  allow untrusted_app_all debugfs_kcov:file rw_file_perms;
+  allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
+')
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@ -1169,6 +1169,9 @@ define(`JSIOCGVERSION', `0x80046a01')
 define(`JSIOCSAXMAP', `0x40406a31')
 define(`JSIOCSBTNMAP', `0x44006a33')
 define(`JSIOCSCORR', `0x40246a21')
+define(`KCOV_DISABLE', `0x00006365')
+define(`KCOV_ENABLE', `0x00006364')
+define(`KCOV_INIT_TRACE', `0x80086301')
 define(`KDADDIO', `0x00004b34')
 define(`KDDELIO', `0x00004b35')
 define(`KDDISABIO', `0x00004b37')