tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Adding a neverallow rule to prevent renaming of device and char files

Browse source 
This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html

Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.

Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
This commit is contained in:
Max Bires 2017-01-20 14:26:05 -08:00
parent 952072b9da
commit 626f90c541
3 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
public/domain.te
View file

@ -279,6 +279,11 @@ neverallow * init:binder *;
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
# Do not allow renaming of block files or character files
# Ability to do so can lead to possible use in an exploit chain
# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
neverallow * *:{ blk_file chr_file } rename;
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.

2
public/init.te
View file

@ -5,7 +5,7 @@ type init, domain, domain_deprecated, mlstrustedsubject;
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file create_file_perms;
allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
#
# init direct restorecon calls.

4
public/vold.te
View file

@ -64,8 +64,8 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file create_file_perms;
allow vold vold_device:blk_file create_file_perms;
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.