From d34435c2571abb47edb40b90659e50423ba2d197 Mon Sep 17 00:00:00 2001 From: Richard Fung Date: Mon, 22 Nov 2021 21:16:12 +0000 Subject: [PATCH] Support reading block apexes from system_server This relaxes the neverallow so that it is possible to write a new SELinux allow for system_server to read /dev/block/vd*. It still isn't possible unless a vendor enables it. Bug: 196965847 Test: m -j local_test_runner arc.Boot.vm Change-Id: Idad79284778cf02066ff0b982480082828f24e19 --- private/system_server.te | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/private/system_server.te b/private/system_server.te index 5b67b703f..68792e8cd 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -1250,10 +1250,13 @@ neverallow system_server dex2oat_exec:file no_x_file_perms; # https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example. neverallow system_server data_file_type:file no_x_file_perms; -# The only block device system_server should be accessing is +# The only block device system_server should be writing to is # the frp_block_device. This helps avoid a system_server to root # escalation by writing to raw block devices. -neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; +# The system_server may need to read from vd_device if it uses +# block apexes. +neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms; +neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms; # system_server should never use JIT functionality # See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html