system_server: neverallow blk_file read/write
With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
This commit is contained in:
parent
c01f7fd1c1
commit
acc0842c4b
2 changed files with 6 additions and 0 deletions
|
@ -1,5 +1,6 @@
|
||||||
#
|
#
|
||||||
# Common neverallow permissions
|
# Common neverallow permissions
|
||||||
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
|
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
|
||||||
|
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
|
||||||
define(`no_x_file_perms', `{ execute execute_no_trans }')
|
define(`no_x_file_perms', `{ execute execute_no_trans }')
|
||||||
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
|
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
|
||||||
|
|
|
@ -492,3 +492,8 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
|
||||||
# system server to dynamically load a dex file, something we do not
|
# system server to dynamically load a dex file, something we do not
|
||||||
# want to allow.
|
# want to allow.
|
||||||
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
||||||
|
|
||||||
|
# The only block device system_server should be accessing is
|
||||||
|
# the frp_block_device. This helps avoid a system_server to root
|
||||||
|
# escalation by writing to raw block devices.
|
||||||
|
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
|
||||||
|
|
Loading…
Reference in a new issue