From 585d9767c0c28534972b5e27dc8feabd15660fc1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 17 Feb 2017 12:47:25 -0800
Subject: [PATCH] fsck: allow stat access on /dev/block files

To determine if it is safe to run fsck on a filesystem, e2fsck
must first determine if the filesystem is mounted. To do that,
e2fsck scans through /proc/mounts and collects all the mounted
block devices. With that information, it runs stat() on each block
device, comparing the major and minor numbers to the filesystem
passed in on the command line. If there is a match, then the filesystem
is currently mounted and running fsck is dangerous.
Allow stat access to all block devices so that fsck can compare
major/minor values.

Addresses the following denials:

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sde5"
dev="tmpfs" ino=15649 scontext=u:r:fsck:s0
tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file
permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda25"
dev="tmpfs" ino=15528 scontext=u:r:fsck:s0
tcontext=u:object_r:modem_block_device:s0 tclass=blk_file permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sda31"
dev="tmpfs" ino=15552 scontext=u:r:fsck:s0
tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=0

avc: denied { getattr } for comm="e2fsck" path="/dev/block/sdd3"
dev="tmpfs" ino=15600 scontext=u:r:fsck:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0

Bug: 35324014
Bug: 33781554
Test: device boots and no SELinux denials.
Change-Id: I5af4a334ec41952887914eec4eee5c60cc441a66
---
 public/domain.te         |  2 +-
 public/fsck.te           | 13 ++++++++++---
 public/fsck_untrusted.te | 11 +++++++++++
 3 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 9993f2fe1..e2c71da61 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -378,7 +378,7 @@ neverallow {
   -system_server
   -shell # Shell is further restricted in shell.te
   -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file rw_file_perms;
+} frp_block_device:blk_file no_rw_file_perms;
 
 # The metadata block device is set aside for device encryption and
 # verified boot metadata. It may be reset at will and should not
diff --git a/public/fsck.te b/public/fsck.te
index 2f0a838e2..8f3b17a4a 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -19,9 +19,16 @@ allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
 
-# fsck performs a stat() on swap to verify that it is a valid
-# swap device before setting the EXT2_MF_SWAP mount flag.
-allow fsck swap_block_device:blk_file getattr;
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
 
 r_dir_file(fsck, proc)
 allow fsck rootfs:dir r_dir_perms;
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index 98806dd1f..a9dd8055a 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -14,6 +14,17 @@ allow fsck_untrusted vold_device:blk_file rw_file_perms;
 
 r_dir_file(fsck_untrusted, proc)
 
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
 ###
 ### neverallow rules
 ###
-- 
GitLab