platform_system_sepolicy/fsck.te

# e2fsck or any other fsck program run by init.
type fsck, domain;
type fsck_exec, exec_type, file_type;
permissive_or_unconfined(fsck)

init_daemon_domain(fsck)

# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };

# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl };

# Run e2fsck on block devices.
# TODO:  Assign userdata and cache block device types to the corresponding
# block devices in all device policies, and then remove access to
# block_device:blk_file from here.
allow fsck block_device:blk_file rw_file_perms;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;

# Only allow entry from init via the e2fsck binary.
neverallow { domain -init } fsck:process transition;
neverallow domain fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-09-23 15:11:30 +02:00			`# e2fsck or any other fsck program run by init.`
			`type fsck, domain;`
			`type fsck_exec, exec_type, file_type;`
			`permissive_or_unconfined(fsck)`

			`init_daemon_domain(fsck)`

			`# /dev/__null__ created by init prior to policy load,`
			`# open fd inherited by fsck.`
			`allow fsck tmpfs:chr_file { read write ioctl };`

			`# Inherit and use pty created by android_fork_execvp_ext().`
Fix fsck-related denials with encrypted userdata. Allow error reporting via the pty supplied by init. Allow vold to invoke fsck for checking volumes. Addresses denials such as: avc: denied { ioctl } for pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file These denials show up if you have encrypted userdata. Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-09-30 19:09:55 +02:00			`allow fsck devpts:chr_file { read write ioctl };`
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-09-23 15:11:30 +02:00
			`# Run e2fsck on block devices.`
			`# TODO: Assign userdata and cache block device types to the corresponding`
			`# block devices in all device policies, and then remove access to`
			`# block_device:blk_file from here.`
			`allow fsck block_device:blk_file rw_file_perms;`
			`allow fsck userdata_block_device:blk_file rw_file_perms;`
			`allow fsck cache_block_device:blk_file rw_file_perms;`

			`# Only allow entry from init via the e2fsck binary.`
			`neverallow { domain -init } fsck:process transition;`
			`neverallow domain fsck:process dyntransition;`
			`neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;`