tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/toolbox.te
Stephen Smalley 8a0c25efb0 Do not allow init to execute anything without changing domains. 
Remove the ability of init to execute programs from / or /system
without changing domains.  This forces all helper programs and
services invoked by init to be assigned their own domain.

Introduce separate domains for running the helper programs
executed from the fs_mgr library by init.  This requires a domain
for e2fsck (named fsck for generality) and a domain for running
mkswap (named toolbox since mkswap is just a symlink to the toolbox
binary and the domain transition occurs on executing the binary, not
based on the symlink in any way).

e2fsck is invoked on any partitions marked with the check mount
option in the fstab file, typically userdata and cache but never
system.  We allow it to read/write the userdata_block_device and
cache_block_device types but also allow it to read/write the default
block_device type until we can get the more specific types assigned
in all of the device-specific policies.

mkswap is invoked on any swap partition defined in the fstab file.
We introduce a new swap_block_device type for this purpose, to be
assigned to any such block devices in the device-specific policies,
and only allow it to read/write such block devices.  As there seem to be
no devices in AOSP with swap partitions in their fstab files, this does
not appear to risk any breakage for existing devices.

With the introduction of these domains, we can de-privilege init to
only having read access to block devices for mounting filesystems; it
no longer needs direct write access to such devices AFAICT.

To avoid breaking execution of toolbox by system services, apps, or the shell,
we allow all domains other than kernel and init the ability to
run toolbox in their own domain.  This is broader than strictly required;
we could alternatively only add it to those domains that already had
x_file_perms to system_file but this would require a coordinated change
with device-specific policy.

Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-28 03:23:27 +00:00

26 lines
1,014 B
Text
Raw Blame History

# Any toolbox command run by init.
# At present, the only known usage is for running mkswap via fs_mgr.
# Do NOT use this domain for toolbox when run by any other domain.
type toolbox, domain;
type toolbox_exec, exec_type, file_type;
permissive_or_unconfined(toolbox)
init_daemon_domain(toolbox)
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow toolbox devpts:chr_file { read write };
# mkswap-specific.
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
allow toolbox swap_block_device:blk_file rw_file_perms;
# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
neverallow domain toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
Reference in a new issue View git blame Copy permalink