From 5207ca6af4eca8d41d16b4017f25ba4cf3420a99 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 15 Dec 2016 08:27:16 -0800
Subject: [PATCH] Enforce assumptions around metadata_block_device

Add a compile time assertion that only authorized SELinux domains are
allowed to touch the metadata_block_device. This domain may be wiped at
will, and we want to ensure that we're not inadvertently destroying
other people's data.

Test: policy compiles.
Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6
---
 public/domain.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 787bc6175..c9f7f6f0d 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -383,6 +383,12 @@ neverallow {
   -ueventd # Further restricted in ueventd.te
 } frp_block_device:blk_file rw_file_perms;
 
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+  { append link rename write open read ioctl lock };
+
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
 
-- 
GitLab