recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data. In particular, /data may be encrypted, and the files within /data will be inaccessible to recovery, because recovery doesn't know the decryption key. Enforce write/execute restrictions on recovery. We can't tighten it up further because domain.te contains some /data read-only access rules, which shouldn't apply to recovery but do. Create neverallow_macros, used for storing permission macros useful for neverallow rules. Standardize recovery.te and property_data_file on the new macros. Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
This commit is contained in:
Nick Kralevich
parent
3bcdec8a1e
commit
a17a266e7e
4 changed files with 25 additions and 2 deletions
|
|
@ -83,6 +83,7 @@ sepolicy_build_files := security_classes \
|
||||||
initial_sids \
|
initial_sids \
|
||||||
access_vectors \
|
access_vectors \
|
||||||
global_macros \
|
global_macros \
|
||||||
|
neverallow_macros \
|
||||||
mls_macros \
|
mls_macros \
|
||||||
mls \
|
mls \
|
||||||
policy_capabilities \
|
policy_capabilities \
|
||||||
|
|
|
||||||
|
|
@ -291,8 +291,8 @@ neverallow {
|
||||||
} { fs_type -rootfs }:file execute;
|
} { fs_type -rootfs }:file execute;
|
||||||
|
|
||||||
# Only the init property service should write to /data/property.
|
# Only the init property service should write to /data/property.
|
||||||
neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
|
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
||||||
neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
|
neverallow { domain -init } property_data_file:file no_w_file_perms;
|
||||||
|
|
||||||
# Only recovery should be doing writes to /system
|
# Only recovery should be doing writes to /system
|
||||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||||
|
|
|
||||||
5
neverallow_macros
Normal file
5
neverallow_macros
Normal file
|
|
@ -0,0 +1,5 @@
|
||||||
|
#
|
||||||
|
# Common neverallow permissions
|
||||||
|
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
|
||||||
|
define(`no_x_file_perms', `{ execute execute_no_trans }')
|
||||||
|
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
|
||||||
17
recovery.te
17
recovery.te
|
|
@ -98,3 +98,20 @@ recovery_only(`
|
||||||
# set scheduling parameters for a kernel domain task.
|
# set scheduling parameters for a kernel domain task.
|
||||||
allow recovery kernel:process setsched;
|
allow recovery kernel:process setsched;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
###
|
||||||
|
### neverallow rules
|
||||||
|
###
|
||||||
|
|
||||||
|
# Recovery should never touch /data.
|
||||||
|
#
|
||||||
|
# In particular, if /data is encrypted, it is not accessible
|
||||||
|
# to recovery anyway.
|
||||||
|
#
|
||||||
|
# For now, we only enforce write/execute restrictions, as domain.te
|
||||||
|
# contains a number of read-only rules that apply to all
|
||||||
|
# domains, including recovery.
|
||||||
|
#
|
||||||
|
# TODO: tighten this up further.
|
||||||
|
neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
|
||||||
|
neverallow recovery data_file_type:dir no_w_dir_perms;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue