From b8b4f5d649fb80adbad1e5f2329afc4f8e691816 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Tue, 21 Nov 2017 12:56:30 -0800 Subject: [PATCH] Clean up old file-based OTA SELinux rules Remove a number of SELinux rules which were required to support file based OTA. After this, we can have a much stronger assertion that files on /system are immutable. Tighten up the neverallow rules at the same time. Bug: 35853185 Bug: 15575013 Bug: 69664758 Test: adb reboot recovery && adb sideload [file] Change-Id: I22aa208859b8478a2a90e1ed1c0f0d6b62a6664e --- public/domain.te | 30 ++++++++++++++++-------------- public/recovery.te | 22 +--------------------- 2 files changed, 17 insertions(+), 35 deletions(-) diff --git a/public/domain.te b/public/domain.te index 91cf8ca6d..0d50c38f9 100644 --- a/public/domain.te +++ b/public/domain.te @@ -238,8 +238,8 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK }; # http://www.openwall.com/lists/oss-security/2016/09/26/14 neverallowxperm * devpts:chr_file ioctl TIOCSTI; -# Do not allow any domain other than init or recovery to create unlabeled files. -neverallow { domain -init -recovery } unlabeled:dir_file_class_set create; +# Do not allow any domain other than init to create unlabeled files. +neverallow { domain -init } unlabeled:dir_file_class_set create; # Limit device node creation to these whitelisted domains. neverallow { @@ -269,8 +269,10 @@ neverallow * self:memprotect mmap_zero; # No domain needs mac_override as it is unused by SELinux. neverallow * self:global_capability2_class_set mac_override; -# Only recovery needs mac_admin to set contexts not defined in current policy. -neverallow { domain -recovery } self:global_capability2_class_set mac_admin; +# Disallow attempts to set contexts not defined in current policy +# This helps guarantee that unknown or dangerous contents will not ever +# be set. +neverallow * self:global_capability2_class_set mac_admin; # Once the policy has been loaded there shall be none to modify the policy. # It is sealed. @@ -376,6 +378,7 @@ neverallow { -bootanim # for oemfs -recovery # for /tmp/update_binary in tmpfs } { fs_type -rootfs }:file execute; + # Files from cache should never be executed neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute; @@ -399,10 +402,12 @@ neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms }; neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms }; -# Only recovery should be doing writes to /system & /vendor +# Nobody should be doing writes to /system & /vendor +# These partitions are intended to be read-only and must never be +# modified. Doing so would violate important Android security guarantees +# and invalidate dm-verity signatures. neverallow { domain - -recovery with_asan(`-asan_extract') } { system_file @@ -410,7 +415,7 @@ neverallow { exec_type }:dir_file_class_set { create write setattr relabelfrom append unlink link rename }; -neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; +neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto; # Don't allow mounting on top of /system files or directories neverallow * exec_type:dir_file_class_set mounton; @@ -426,7 +431,7 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= # mount to another type. -neverallow { domain -recovery } contextmount_type:dir_file_class_set +neverallow * contextmount_type:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Do not allow service_manager add for default service labels. @@ -1091,12 +1096,9 @@ neverallow { # vendor, and boot partitions. neverallow * ~{ system_file vendor_file rootfs }:system module_load; -# Only allow filesystem caps to be set at build time or -# during upgrade by recovery. -neverallow { - domain - -recovery -} self:global_capability_class_set setfcap; +# Only allow filesystem caps to be set at build time. Runtime changes +# to filesystem capabilities are not permitted. +neverallow * self:global_capability_class_set setfcap; # Enforce AT_SECURE for executing crash_dump. neverallow domain crash_dump:process noatsecure; diff --git a/public/recovery.te b/public/recovery.te index 3e3c28e61..f6ad47fef 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -12,10 +12,7 @@ recovery_only(` # Recovery can only use HALs in passthrough mode passthrough_hal_client_domain(recovery, hal_bootctl) - allow recovery self:global_capability_class_set { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; - - # Set security contexts on files that are not known to the loaded policy. - allow recovery self:global_capability2_class_set mac_admin; + allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config }; # Run helpers from / or /system without changing domain. r_dir_file(recovery, rootfs) @@ -29,26 +26,9 @@ recovery_only(` allow recovery unlabeled:filesystem ~relabelto; allow recovery contextmount_type:filesystem relabelto; - # Create and relabel files and directories under /system. - allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery system_file:dir { create_dir_perms relabelfrom relabelto }; - - # We may be asked to set an SELinux label for a type not known to the - # currently loaded policy. Allow it. - allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto }; - allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto }; # Get file contexts allow recovery file_contexts_file:file r_file_perms; - # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux - # support to OTAs. However, that code has a bug. When an update occurs, - # some directories are inappropriately labeled as exec_type. This is - # only transient, and subsequent steps in the OTA script correct this - # mistake. New devices are moving to block based OTAs, so this is not - # worth fixing. b/15575013 - allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; - # Write to /proc/sys/vm/drop_caches allow recovery proc_drop_caches:file w_file_perms;