Skip to content
Snippets Groups Projects
Commit 3f40d4f4 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Remove block device access from unconfined domains.


Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 5487ca00
Branches
No related tags found
No related merge requests found
......@@ -203,7 +203,7 @@ neverallow domain init:binder call;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.
......
......@@ -9,6 +9,7 @@ allow init unlabeled:filesystem mount;
allow init self:capability { sys_rawio mknod };
allow init dev_type:blk_file rw_file_perms;
allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
......
......@@ -21,3 +21,5 @@ allow kernel self:security setcheckreqprot;
## TODO: Investigate whether it is safe to remove these
allow kernel self:capability { sys_rawio mknod };
auditallow kernel self:capability { sys_rawio mknod };
allow kernel dev_type:blk_file rw_file_perms;
auditallow kernel dev_type:blk_file rw_file_perms;
......@@ -10,6 +10,9 @@ allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set rela
allow recovery unlabeled:filesystem mount;
allow recovery fs_type:filesystem *;
# Required to e.g. wipe userdata/cache.
allow recovery dev_type:blk_file rw_file_perms;
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;
......
......@@ -28,7 +28,7 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
allow unconfineddomain domain:socket_class_set *;
allow unconfineddomain domain:ipc_class_set *;
allow unconfineddomain domain:key *;
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment