start enforcing ioctl restrictions on blk_file
am: 4c8eaba75a
Change-Id: Ic97b8aafa7f6edcf54e08230905b34500fbe677e
This commit is contained in:
Nick Kralevich
android-build-merger
commit
674b168480
6 changed files with 21 additions and 4 deletions
|
|
@ -14,6 +14,7 @@ allow apexd apex_data_file:file rw_file_perms;
|
|||
allow apexd loop_control_device:chr_file rw_file_perms;
|
||||
# allow apexd to access loop devices
|
||||
allow apexd loop_device:blk_file rw_file_perms;
|
||||
allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
|
||||
# allow apexd to access /dev/block
|
||||
allow apexd block_device:dir r_dir_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -310,7 +310,7 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
|
|||
# All domains must clearly enumerate what ioctls they use
|
||||
# on filesystem objects (plain files, directories, symbolic links,
|
||||
# named pipes, and named sockets). We start off with a safe set.
|
||||
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
|
||||
allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
|
||||
|
||||
# Allow a process to make a determination whether a file descriptor
|
||||
# for a plain file or pipe (fifo_file) is a tty. Note that granting
|
||||
|
|
@ -319,6 +319,10 @@ allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_s
|
|||
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
|
||||
allowxperm domain domain:fifo_file ioctl { TCGETS };
|
||||
|
||||
# If a domain has access to perform an ioctl on a block device, allow these
|
||||
# very common, benign ioctls
|
||||
allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
|
||||
|
||||
# Support sqlite F2FS specific optimizations
|
||||
# ioctl permission on the specific file type is still required
|
||||
# TODO: consider only compiling these rules if we know the
|
||||
|
|
@ -354,7 +358,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
|
|||
|
||||
# All ioctls on file-like objects (except chr_file and blk_file) and
|
||||
# sockets must be restricted to a whitelist.
|
||||
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
|
||||
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
|
||||
|
||||
# b/68014825 and https://android-review.googlesource.com/516535
|
||||
# rfc6093 says that processes should not use the TCP urgent mechanism
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@ allow e2fs dev_type:blk_file getattr;
|
|||
allow e2fs block_device:dir search;
|
||||
allow e2fs userdata_block_device:blk_file rw_file_perms;
|
||||
allow e2fs metadata_block_device:blk_file rw_file_perms;
|
||||
allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
|
||||
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
||||
};
|
||||
|
||||
allow e2fs {
|
||||
proc_filesystems
|
||||
|
|
@ -18,5 +21,5 @@ allow e2fs {
|
|||
allow e2fs sysfs_fs_ext4_features:dir search;
|
||||
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
|
||||
|
||||
# access sselinux context files
|
||||
allow e2fs file_contexts_file:file { getattr open read };
|
||||
# access SELinux context files
|
||||
allow e2fs file_contexts_file:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -19,6 +19,13 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
|
|||
allow fsck cache_block_device:blk_file rw_file_perms;
|
||||
allow fsck dm_device:blk_file rw_file_perms;
|
||||
|
||||
# For the block devices where we have ioctl access,
|
||||
# allow at a minimum the following common fsck ioctls.
|
||||
allowxperm fsck dev_type:blk_file ioctl {
|
||||
BLKDISCARDZEROES
|
||||
BLKROGET
|
||||
};
|
||||
|
||||
# To determine if it is safe to run fsck on a filesystem, e2fsck
|
||||
# must first determine if the filesystem is mounted. To do that,
|
||||
# e2fsck scans through /proc/mounts and collects all the mounted
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ allow init self:global_capability_class_set { sys_rawio mknod };
|
|||
|
||||
# Mounting filesystems from block devices.
|
||||
allow init dev_type:blk_file r_file_perms;
|
||||
allowxperm init dev_type:blk_file ioctl BLKROSET;
|
||||
|
||||
# Mounting filesystems.
|
||||
# Only allow relabelto for types used in context= mount options,
|
||||
|
|
|
|||
|
|
@ -99,6 +99,7 @@ allow vold self:global_capability_class_set { net_admin dac_override dac_read_se
|
|||
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
allow vold loop_control_device:chr_file rw_file_perms;
|
||||
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
|
||||
allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
|
||||
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
|
||||
allow vold dm_device:chr_file rw_file_perms;
|
||||
allow vold dm_device:blk_file rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue