fsck: allow stat access on /dev/block files

am: 585d9767 Change-Id: Ie7c5e03a90dea08abdf351578903299f01c586f3

fsck: allow stat access on /dev/block files
am: 585d9767 Change-Id: Ie7c5e03a90dea08abdf351578903299f01c586f3
3bed75b7 · Nick Kralevich · android-build-merger · ac6081e7 · 585d9767 · 3bed75b7
Commit 3bed75b7 authored 8 years ago by Nick Kralevich Committed by android-build-merger 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@ neverallow {
  -system_server
  -shell # Shell is further restricted in shell.te
  -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;

 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not

--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;

-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;

 r_dir_file(fsck, proc)
 allow fsck rootfs:dir r_dir_perms;

--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@ allow fsck_untrusted vold_device:blk_file rw_file_perms;

 r_dir_file(fsck_untrusted, proc)

+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
 ###
 ### neverallow rules
 ###