Separate fsck domains to protect userdata.

Create new vold_fsck domain that only has access to vold_block devices to prevent any access to internal userdata. Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731
2015-03-31 08:04:46 -07:00 · 2015-03-31 08:04:46 -07:00 · 5a5b364c54
commit 5a5b364c54
parent 5895ffe1f7
3 changed files with 40 additions and 9 deletions
--- a/fsck.te
+++ b/fsck.te
@ -1,4 +1,4 @@
-# Any fsck program run by init or vold
+# Any fsck program run by init
 type fsck, domain;
 type fsck_exec, exec_type, file_type;

@ -15,11 +15,6 @@ allow fsck devpts:chr_file { read write ioctl getattr };
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck vold_device:blk_file rw_file_perms;
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };

 ###
 ### neverallow rules
@ -34,9 +29,10 @@ neverallow fsck {
  root_block_device
  swap_block_device
  system_block_device
+  vold_device
 }:blk_file no_rw_file_perms;

-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
+# Only allow entry from init via fsck binaries
+neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
--- a/vold.te
+++ b/vold.te
@ -8,7 +8,7 @@ init_daemon_domain(vold)
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, fsck);
+domain_auto_trans(vold, fsck_exec, vold_fsck);

 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
--- a/vold_fsck.te
+++ b/vold_fsck.te
@ -0,0 +1,35 @@
+# Any fsck program run by vold
+type vold_fsck, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow vold_fsck devpts:chr_file { read write ioctl getattr };
+
+# Run fsck on certain block devices
+allow vold_fsck block_device:dir search;
+allow vold_fsck vold_device:blk_file rw_file_perms;
+
+# Allow stdin/out back to vold
+allow vold_fsck vold:fd use;
+allow vold_fsck vold:fifo_file { read write getattr };
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow vold_fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } vold_fsck:process transition;
+neverallow domain vold_fsck:process dyntransition;
+neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;