From 206b1a6c45f1bae25906018d9c5d968330106826 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Tue, 30 Sep 2014 12:53:12 -0400 Subject: [PATCH] Define specific block device types for system and recovery partitions. Define a specific block device type for system so that we can prevent raw writes to the system partition by anything other than recovery. Define a specific block device type for recovery so that we can prevent raw writes to the recovery partition by anything other than install_recovery or recovery. These types must be assigned to specific block device nodes via device-specific policy. This change merely defines the types, adds allow rules so that nothing will break when the types are assigned, and adds neverallow rules to prevent adding further allow rules on these types. This change does not remove access to the generic block_device type from any domain so nothing should break even on devices without these type assignments. Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a Signed-off-by: Stephen Smalley --- device.te | 6 ++++++ domain.te | 6 ++++++ install_recovery.te | 2 ++ 3 files changed, 14 insertions(+) diff --git a/device.te b/device.te index abe5daaf9..c1f3d283c 100644 --- a/device.te +++ b/device.te @@ -68,6 +68,12 @@ type root_block_device, dev_type; # factory reset protection block device type frp_block_device, dev_type; +# System block device mounted on /system. +type system_block_device, dev_type; + +# Recovery block device. +type recovery_block_device, dev_type; + # Userdata block device mounted on /data. type userdata_block_device, dev_type; diff --git a/domain.te b/domain.te index 8e9d8c446..86aeb07d8 100644 --- a/domain.te +++ b/domain.te @@ -318,3 +318,9 @@ neverallow domain default_android_service:service_manager add; neverallow { domain -init } default_prop:property_service set; neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms; + +# No domain other than recovery can write to system. +neverallow { domain -recovery } system_block_device:blk_file write; + +# No domains other than install_recovery or recovery can write to recovery. +neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write; diff --git a/install_recovery.te b/install_recovery.te index 138134ae5..52326859a 100644 --- a/install_recovery.te +++ b/install_recovery.te @@ -18,6 +18,8 @@ allow install_recovery system_file:file rx_file_perms; # create an appropriate label for it. allow install_recovery block_device:dir search; allow install_recovery block_device:blk_file rw_file_perms; +auditallow install_recovery block_device:blk_file rw_file_perms; +allow install_recovery recovery_block_device:blk_file rw_file_perms; # Create and delete /cache/saved.file allow install_recovery cache_file:dir rw_dir_perms;