Different blkid and fsck execution domains.

vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
This commit is contained in:
Jeff Sharkey 2015-04-01 10:15:51 -07:00
parent d9128a45c6
commit 84e1c61193
6 changed files with 99 additions and 45 deletions

View file

@ -2,15 +2,19 @@
type blkid, domain; type blkid, domain;
type blkid_exec, exec_type, file_type; type blkid_exec, exec_type, file_type;
# Allowed read-only access to vold block devices to extract UUID/label # Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search; allow blkid block_device:dir search;
allow blkid vold_device:blk_file r_file_perms; allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold # Allow stdin/out back to vold
allow blkid vold:fd use; allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr }; allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold # Only allow entry from vold
neverallow { domain -vold } blkid:process transition; neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition; neverallow domain blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec }:file entrypoint; neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

36
blkid_untrusted.te Normal file
View file

@ -0,0 +1,36 @@
# blkid for untrusted block devices
type blkid_untrusted, domain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow domain blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

View file

@ -11,10 +11,15 @@ allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext(). # Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr }; allow fsck devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck vold:fd use;
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices # Run fsck on certain block devices
allow fsck block_device:dir search; allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms; allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms; allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
### ###
### neverallow rules ### neverallow rules
@ -32,7 +37,7 @@ neverallow fsck {
vold_device vold_device
}:blk_file no_rw_file_perms; }:blk_file no_rw_file_perms;
# Only allow entry from init via fsck binaries # Only allow entry from init or vold via fsck binaries
neverallow { domain -init } fsck:process transition; neverallow { domain -init -vold } fsck:process transition;
neverallow domain fsck:process dyntransition; neverallow domain fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;

36
fsck_untrusted.te Normal file
View file

@ -0,0 +1,36 @@
# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
###
### neverallow rules
###
# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow domain fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;

18
vold.te
View file

@ -6,9 +6,20 @@ init_daemon_domain(vold)
# Switch to more restrictive domains when executing common tools # Switch to more restrictive domains when executing common tools
domain_auto_trans(vold, sgdisk_exec, sgdisk); domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, blkid_exec, blkid);
domain_auto_trans(vold, sdcardd_exec, sdcardd); domain_auto_trans(vold, sdcardd_exec, sdcardd);
domain_auto_trans(vold, fsck_exec, vold_fsck);
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
domain_trans(vold, shell_exec, blkid_untrusted);
domain_trans(vold, fsck_exec, fsck);
domain_trans(vold, fsck_exec, fsck_untrusted);
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
# For sgdisk launched through popen()
allow vold shell_exec:file rx_file_perms;
typeattribute vold mlstrustedsubject; typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate; allow vold self:process setfscreate;
@ -58,9 +69,6 @@ allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill }; allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill }; allow vold self:capability { sys_ptrace kill };
# For blkid and sgdisk
allow vold shell_exec:file rx_file_perms;
# XXX Label sysfs files with a specific type? # XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms; allow vold sysfs:file rw_file_perms;

View file

@ -1,35 +0,0 @@
# Any fsck program run by vold
type vold_fsck, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow vold_fsck devpts:chr_file { read write ioctl getattr };
# Run fsck on certain block devices
allow vold_fsck block_device:dir search;
allow vold_fsck vold_device:blk_file rw_file_perms;
# Allow stdin/out back to vold
allow vold_fsck vold:fd use;
allow vold_fsck vold:fifo_file { read write getattr };
###
### neverallow rules
###
# fsck should never be run on these block devices
neverallow vold_fsck {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } vold_fsck:process transition;
neverallow domain vold_fsck:process dyntransition;
neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;