platform_system_sepolicy/public/fsck_untrusted.te

# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;

# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };

# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;

allow fsck_untrusted proc_mounts:file r_file_perms;

# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck_untrusted dev_type:blk_file getattr;

###
### neverallow rules
###

# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
  boot_block_device
  frp_block_device
  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device
  system_block_device
  userdata_block_device
  cache_block_device
  dm_device
}:blk_file no_rw_file_perms;

# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 2015-04-01 19:15:51 +02:00			`# Any fsck program run on untrusted block devices`
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b 2017-05-15 22:19:03 +02:00			`type fsck_untrusted, domain;`
Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 2015-04-01 19:15:51 +02:00
			`# Inherit and use pty created by android_fork_execvp_ext().`
			`allow fsck_untrusted devpts:chr_file { read write ioctl getattr };`

			`# Allow stdin/out back to vold`
			`allow fsck_untrusted vold:fd use;`
			`allow fsck_untrusted vold:fifo_file { read write getattr };`

			`# Run fsck on vold block devices`
			`allow fsck_untrusted block_device:dir search;`
			`allow fsck_untrusted vold_device:blk_file rw_file_perms;`

Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb 2017-09-26 21:58:29 +02:00			`allow fsck_untrusted proc_mounts:file r_file_perms;`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00
fsck: allow stat access on /dev/block files To determine if it is safe to run fsck on a filesystem, e2fsck must first determine if the filesystem is mounted. To do that, e2fsck scans through /proc/mounts and collects all the mounted block devices. With that information, it runs stat() on each block device, comparing the major and minor numbers to the filesystem passed in on the command line. If there is a match, then the filesystem is currently mounted and running fsck is dangerous. Allow stat access to all block devices so that fsck can compare major/minor values. Addresses the following denials: avc: denied { getattr } for comm="e2fsck" path="/dev/block/sde5" dev="tmpfs" ino=15649 scontext=u:r:fsck:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file permissive=0 avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda25" dev="tmpfs" ino=15528 scontext=u:r:fsck:s0 tcontext=u:object_r:modem_block_device:s0 tclass=blk_file permissive=0 avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda31" dev="tmpfs" ino=15552 scontext=u:r:fsck:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0 avc: denied { getattr } for comm="e2fsck" path="/dev/block/sdd3" dev="tmpfs" ino=15600 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0 Bug: 35324014 Bug: 33781554 Test: device boots and no SELinux denials. Change-Id: I5af4a334ec41952887914eec4eee5c60cc441a66 2017-02-17 21:47:25 +01:00			`# To determine if it is safe to run fsck on a filesystem, e2fsck`
			`# must first determine if the filesystem is mounted. To do that,`
			`# e2fsck scans through /proc/mounts and collects all the mounted`
			`# block devices. With that information, it runs stat() on each block`
			`# device, comparing the major and minor numbers to the filesystem`
			`# passed in on the command line. If there is a match, then the filesystem`
			`# is currently mounted and running fsck is dangerous.`
			`# Allow stat access to all block devices so that fsck can compare`
			`# major/minor values.`
			`allow fsck_untrusted dev_type:blk_file getattr;`

Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 2015-04-01 19:15:51 +02:00			`###`
			`### neverallow rules`
			`###`

			`# Untrusted fsck should never be run on block devices holding sensitive data`
			`neverallow fsck_untrusted {`
			`boot_block_device`
			`frp_block_device`
			`metadata_block_device`
			`recovery_block_device`
			`root_block_device`
			`swap_block_device`
			`system_block_device`
			`userdata_block_device`
			`cache_block_device`
			`dm_device`
			`}:blk_file no_rw_file_perms;`

			`# Only allow entry from vold via fsck binaries`
			`neverallow { domain -vold } fsck_untrusted:process transition;`
Replace "neverallow domain" by "neverallow " Modify many "neverallow domain" rules to be "neverallow " rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf 2016-02-05 23:48:03 +01:00			`neverallow * fsck_untrusted:process dyntransition;`
Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 2015-04-01 19:15:51 +02:00			`neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;`