platform_system_sepolicy/blkid_untrusted.te

# blkid for untrusted block devices
type blkid_untrusted, domain;

# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;

# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };

# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;

###
### neverallow rules
###

# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
  boot_block_device
  frp_block_device
  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device
  system_block_device
  userdata_block_device
  cache_block_device
  dm_device
}:blk_file no_rw_file_perms;

# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow domain blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 2015-04-01 19:15:51 +02:00			`# blkid for untrusted block devices`
			`type blkid_untrusted, domain;`

			`# Allowed read-only access to vold block devices to extract UUID/label`
			`allow blkid_untrusted block_device:dir search;`
			`allow blkid_untrusted vold_device:blk_file r_file_perms;`

			`# Allow stdin/out back to vold`
			`allow blkid_untrusted vold:fd use;`
			`allow blkid_untrusted vold:fifo_file { read write getattr };`

			`# For blkid launched through popen()`
			`allow blkid_untrusted blkid_exec:file rx_file_perms;`

			`###`
			`### neverallow rules`
			`###`

			`# Untrusted blkid should never be run on block devices holding sensitive data`
			`neverallow blkid_untrusted {`
			`boot_block_device`
			`frp_block_device`
			`metadata_block_device`
			`recovery_block_device`
			`root_block_device`
			`swap_block_device`
			`system_block_device`
			`userdata_block_device`
			`cache_block_device`
			`dm_device`
			`}:blk_file no_rw_file_perms;`

			`# Only allow entry from vold via blkid binary`
			`neverallow { domain -vold } blkid_untrusted:process transition;`
			`neverallow domain blkid_untrusted:process dyntransition;`
			`neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;`