From a4c5f57f6319dede10a08d695a02a98367038b49 Mon Sep 17 00:00:00 2001
From: Nikita Ioffe <ioffe@google.com>
Date: Wed, 28 Dec 2022 16:08:58 +0000
Subject: [PATCH] vold: explicitly specify capabilities

If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify the capabilities that vold needs.

The list of capabilities that vold is allowed to use was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s vold -c capability,capability2 /tmp/selinux.policy
allow vold vold:capability { chown dac_override dac_read_search fowner fsetid kill mknod net_admin sys_admin sys_chroot sys_nice sys_ptrace };
allow vold vold:capability2 block_suspend
```

In addition, since vold execs the /system/bin/sdcard, which transitions
into sdcardd domain, we also need to add capabilities that are required
by /system/bin/sdcard:

```
sesearch --allow -s sdcardd -c capability,capability2 /tmp/selinux.policy
allow sdcardd sdcardd:capability { dac_override dac_read_search setgid setuid sys_admin sys_resource };
```

vold can also transform into the following domains which don't seem to
need any capabilities: blkid, blkid_untrusted, fsck, fsck_untrusted

vold can also transform into sgdisk domain, which only needs
CAP_SYS_ADMIN:

```
sesearch --allow -s sgdisk -c capability,capability2 /tmp/selinux.policy
allow sgdisk sgdisk:capability sys_admin
```

Bug: 249796710
Test: device boots
Test: prebumit
Change-Id: Ic2a35fd62d6ed8c7b305c23607e6c24b197cf6bc
---
 vold.rc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/vold.rc b/vold.rc
index 9474a1e..466e2db 100644
--- a/vold.rc
+++ b/vold.rc
@@ -7,3 +7,5 @@ service vold /system/bin/vold \
     shutdown critical
     group root reserved_disk
     reboot_on_failure reboot,vold-failed
+    # CAP_SETGID, CAP_SETUID, CAP_SYS_RESOURCE are not used by the vold itself, but instead are used by the /system/bin/sdcard that vold execs
+    capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID KILL MKNOD NET_ADMIN SYS_ADMIN SYS_CHROOT SYS_NICE SYS_PTRACE BLOCK_SUSPEND SETGID SETUID SYS_RESOURCE