start enforcing ioctl restrictions on blk_file

Start enforcing the use of ioctl restrictions on all Android block devices. Domains which perform ioctls on block devices must be explicit about what ioctls they issue. The only ioctls allowed by default are BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX. Test: device boots and no problems. Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867

start enforcing ioctl restrictions on blk_file
Start enforcing the use of ioctl restrictions on all Android block devices. Domains which perform ioctls on block devices must be explicit about what ioctls they issue. The only ioctls allowed by default are BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX. Test: device boots and no problems. Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
4c8eaba7 · Nick Kralevich · 2581761e · 4c8eaba7 · 4c8eaba7 · 4c8eaba7
Commit 4c8eaba7 authored 6 years ago by Nick Kralevich
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -14,6 +14,7 @@ allow apexd apex_data_file:file rw_file_perms;
 allow apexd loop_control_device:chr_file rw_file_perms;
 # allow apexd to access loop devices
 allow apexd loop_device:blk_file rw_file_perms;
+allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64;
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;

--- a/public/domain.te
+++ b/public/domain.te
@@ -310,7 +310,7 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 # All domains must clearly enumerate what ioctls they use
 # on filesystem objects (plain files, directories, symbolic links,
 # named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX };
+allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
 # Allow a process to make a determination whether a file descriptor
 # for a plain file or pipe (fifo_file) is a tty. Note that granting
@@ -319,6 +319,10 @@ allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_s
 allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
 allowxperm domain domain:fifo_file ioctl { TCGETS };
+# If a domain has access to perform an ioctl on a block device, allow these
+# very common, benign ioctls
+allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
 # Support sqlite F2FS specific optimizations
 # ioctl permission on the specific file type is still required
 # TODO: consider only compiling these rules if we know the
@@ -354,7 +358,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms;
 # All ioctls on file-like objects (except chr_file and blk_file) and
 # sockets must be restricted to a whitelist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 };
+neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
 # b/68014825 and https://android-review.googlesource.com/516535
 # rfc6093 says that processes should not use the TCP urgent mechanism

--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -7,6 +7,9 @@ allow e2fs dev_type:blk_file getattr;
 allow e2fs block_device:dir search;
 allow e2fs userdata_block_device:blk_file rw_file_perms;
 allow e2fs metadata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
 allow e2fs {
  proc_filesystems
@@ -18,5 +21,5 @@ allow e2fs {
 allow e2fs sysfs_fs_ext4_features:dir search;
 allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-# access sselinux context files
+# access SELinux context files
-allow e2fs file_contexts_file:file { getattr open read };
+allow e2fs file_contexts_file:file r_file_perms;
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,6 +19,13 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
+# For the block devices where we have ioctl access,
+# allow at a minimum the following common fsck ioctls.
+allowxperm fsck dev_type:blk_file ioctl {
+  BLKDISCARDZEROES
+  BLKROGET
+};
 # To determine if it is safe to run fsck on a filesystem, e2fsck
 # must first determine if the filesystem is mounted. To do that,
 # e2fsck scans through /proc/mounts and collects all the mounted

--- a/public/init.te
+++ b/public/init.te
@@ -117,6 +117,7 @@ allow init self:global_capability_class_set { sys_rawio mknod };
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
+allowxperm init dev_type:blk_file ioctl BLKROSET;
 # Mounting filesystems.
 # Only allow relabelto for types used in context= mount options,

--- a/public/vold.te
+++ b/public/vold.te
@@ -99,6 +99,7 @@ allow vold self:global_capability_class_set { net_admin dac_override dac_read_se
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;