From acc0842c4bed8690fe29858070215d7a74f4a44b Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 11 Mar 2015 12:44:27 -0700 Subject: [PATCH] system_server: neverallow blk_file read/write With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c --- neverallow_macros | 1 + system_server.te | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/neverallow_macros b/neverallow_macros index 3593dd1bb..b36cceb86 100644 --- a/neverallow_macros +++ b/neverallow_macros @@ -1,5 +1,6 @@ # # Common neverallow permissions define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') +define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }') define(`no_x_file_perms', `{ execute execute_no_trans }') define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') diff --git a/system_server.te b/system_server.te index ee3aa898b..66306152e 100644 --- a/system_server.te +++ b/system_server.te @@ -492,3 +492,8 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app # system server to dynamically load a dex file, something we do not # want to allow. neverallow system_server dex2oat_exec:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;