system_server: neverallow blk_file read/write

With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.

This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.

Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
This commit is contained in:
Nick Kralevich 2015-03-11 12:44:27 -07:00
parent c01f7fd1c1
commit acc0842c4b
2 changed files with 6 additions and 0 deletions

View file

@ -1,5 +1,6 @@
# #
# Common neverallow permissions # Common neverallow permissions
define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }') define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
define(`no_x_file_perms', `{ execute execute_no_trans }') define(`no_x_file_perms', `{ execute execute_no_trans }')
define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }') define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')

View file

@ -492,3 +492,8 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
# system server to dynamically load a dex file, something we do not # system server to dynamically load a dex file, something we do not
# want to allow. # want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms; neverallow system_server dex2oat_exec:file no_x_file_perms;
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;