From 84e1c61193cf880ff899c4c34f9140c2e23c7811 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Wed, 1 Apr 2015 10:15:51 -0700 Subject: [PATCH] Different blkid and fsck execution domains. vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5 --- blkid.te | 10 +++++++--- blkid_untrusted.te | 36 ++++++++++++++++++++++++++++++++++++ fsck.te | 9 +++++++-- fsck_untrusted.te | 36 ++++++++++++++++++++++++++++++++++++ vold.te | 18 +++++++++++++----- vold_fsck.te | 35 ----------------------------------- 6 files changed, 99 insertions(+), 45 deletions(-) create mode 100644 blkid_untrusted.te create mode 100644 fsck_untrusted.te delete mode 100644 vold_fsck.te diff --git a/blkid.te b/blkid.te index 54f6bc205..15b6a85eb 100644 --- a/blkid.te +++ b/blkid.te @@ -2,15 +2,19 @@ type blkid, domain; type blkid_exec, exec_type, file_type; -# Allowed read-only access to vold block devices to extract UUID/label +# Allowed read-only access to encrypted devices to extract UUID/label allow blkid block_device:dir search; -allow blkid vold_device:blk_file r_file_perms; +allow blkid userdata_block_device:blk_file r_file_perms; +allow blkid dm_device:blk_file r_file_perms; # Allow stdin/out back to vold allow blkid vold:fd use; allow blkid vold:fifo_file { read write getattr }; +# For blkid launched through popen() +allow blkid blkid_exec:file rx_file_perms; + # Only allow entry from vold neverallow { domain -vold } blkid:process transition; neverallow domain blkid:process dyntransition; -neverallow blkid { file_type fs_type -blkid_exec }:file entrypoint; +neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/blkid_untrusted.te b/blkid_untrusted.te new file mode 100644 index 000000000..df8e447f9 --- /dev/null +++ b/blkid_untrusted.te @@ -0,0 +1,36 @@ +# blkid for untrusted block devices +type blkid_untrusted, domain; + +# Allowed read-only access to vold block devices to extract UUID/label +allow blkid_untrusted block_device:dir search; +allow blkid_untrusted vold_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid_untrusted vold:fd use; +allow blkid_untrusted vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid_untrusted blkid_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Untrusted blkid should never be run on block devices holding sensitive data +neverallow blkid_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via blkid binary +neverallow { domain -vold } blkid_untrusted:process transition; +neverallow domain blkid_untrusted:process dyntransition; +neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; diff --git a/fsck.te b/fsck.te index 6a3d1ee44..8c1aaf361 100644 --- a/fsck.te +++ b/fsck.te @@ -11,10 +11,15 @@ allow fsck tmpfs:chr_file { read write ioctl }; # Inherit and use pty created by android_fork_execvp_ext(). allow fsck devpts:chr_file { read write ioctl getattr }; +# Allow stdin/out back to vold +allow fsck vold:fd use; +allow fsck vold:fifo_file { read write getattr }; + # Run fsck on certain block devices allow fsck block_device:dir search; allow fsck userdata_block_device:blk_file rw_file_perms; allow fsck cache_block_device:blk_file rw_file_perms; +allow fsck dm_device:blk_file rw_file_perms; ### ### neverallow rules @@ -32,7 +37,7 @@ neverallow fsck { vold_device }:blk_file no_rw_file_perms; -# Only allow entry from init via fsck binaries -neverallow { domain -init } fsck:process transition; +# Only allow entry from init or vold via fsck binaries +neverallow { domain -init -vold } fsck:process transition; neverallow domain fsck:process dyntransition; neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/fsck_untrusted.te b/fsck_untrusted.te new file mode 100644 index 000000000..67c67b762 --- /dev/null +++ b/fsck_untrusted.te @@ -0,0 +1,36 @@ +# Any fsck program run on untrusted block devices +type fsck_untrusted, domain; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow fsck_untrusted vold:fd use; +allow fsck_untrusted vold:fifo_file { read write getattr }; + +# Run fsck on vold block devices +allow fsck_untrusted block_device:dir search; +allow fsck_untrusted vold_device:blk_file rw_file_perms; + +### +### neverallow rules +### + +# Untrusted fsck should never be run on block devices holding sensitive data +neverallow fsck_untrusted { + boot_block_device + frp_block_device + metadata_block_device + recovery_block_device + root_block_device + swap_block_device + system_block_device + userdata_block_device + cache_block_device + dm_device +}:blk_file no_rw_file_perms; + +# Only allow entry from vold via fsck binaries +neverallow { domain -vold } fsck_untrusted:process transition; +neverallow domain fsck_untrusted:process dyntransition; +neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; diff --git a/vold.te b/vold.te index c2bd06487..dfdc3d977 100644 --- a/vold.te +++ b/vold.te @@ -6,9 +6,20 @@ init_daemon_domain(vold) # Switch to more restrictive domains when executing common tools domain_auto_trans(vold, sgdisk_exec, sgdisk); -domain_auto_trans(vold, blkid_exec, blkid); domain_auto_trans(vold, sdcardd_exec, sdcardd); -domain_auto_trans(vold, fsck_exec, vold_fsck); + +# For a handful of probing tools, we choose an even more restrictive +# domain when working with untrusted block devices +domain_trans(vold, shell_exec, blkid); +domain_trans(vold, shell_exec, blkid_untrusted); +domain_trans(vold, fsck_exec, fsck); +domain_trans(vold, fsck_exec, fsck_untrusted); + +# Allow us to jump into execution domains of above tools +allow vold self:process setexec; + +# For sgdisk launched through popen() +allow vold shell_exec:file rx_file_perms; typeattribute vold mlstrustedsubject; allow vold self:process setfscreate; @@ -58,9 +69,6 @@ allow vold domain:{ file lnk_file } r_file_perms; allow vold domain:process { signal sigkill }; allow vold self:capability { sys_ptrace kill }; -# For blkid and sgdisk -allow vold shell_exec:file rx_file_perms; - # XXX Label sysfs files with a specific type? allow vold sysfs:file rw_file_perms; diff --git a/vold_fsck.te b/vold_fsck.te deleted file mode 100644 index e45c52710..000000000 --- a/vold_fsck.te +++ /dev/null @@ -1,35 +0,0 @@ -# Any fsck program run by vold -type vold_fsck, domain; - -# Inherit and use pty created by android_fork_execvp_ext(). -allow vold_fsck devpts:chr_file { read write ioctl getattr }; - -# Run fsck on certain block devices -allow vold_fsck block_device:dir search; -allow vold_fsck vold_device:blk_file rw_file_perms; - -# Allow stdin/out back to vold -allow vold_fsck vold:fd use; -allow vold_fsck vold:fifo_file { read write getattr }; - -### -### neverallow rules -### - -# fsck should never be run on these block devices -neverallow vold_fsck { - boot_block_device - frp_block_device - metadata_block_device - recovery_block_device - root_block_device - swap_block_device - system_block_device - userdata_block_device - cache_block_device -}:blk_file no_rw_file_perms; - -# Only allow entry from vold via fsck binaries -neverallow { domain -vold } vold_fsck:process transition; -neverallow domain vold_fsck:process dyntransition; -neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;