Separate fsck domains to protect userdata.

Create new vold_fsck domain that only has access to vold_block devices to prevent any access to internal userdata. Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731

Separate fsck domains to protect userdata.
Create new vold_fsck domain that only has access to vold_block devices to prevent any access to internal userdata. Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731
5a5b364c · Jeff Sharkey · 5895ffe1 · 5a5b364c · 5a5b364c · 5a5b364c
Commit 5a5b364c authored 10 years ago by Jeff Sharkey
--- a/fsck.te
+++ b/fsck.te
-# Any fsck program run by init or vold
+# Any fsck program run by init
 type fsck, domain;
 type fsck_exec, exec_type, file_type;
@@ -15,11 +15,6 @@ allow fsck devpts:chr_file { read write ioctl getattr };
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck vold_device:blk_file rw_file_perms;
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
 ###
 ### neverallow rules
@@ -34,9 +29,10 @@ neverallow fsck {
  root_block_device
  swap_block_device
  system_block_device
+  vold_device
 }:blk_file no_rw_file_perms;
-# Only allow entry from init or vold via fsck binaries
+# Only allow entry from init via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
+neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
--- a/vold.te
+++ b/vold.te
@@ -8,7 +8,7 @@ init_daemon_domain(vold)
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, fsck);
+domain_auto_trans(vold, fsck_exec, vold_fsck);
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;

--- a/vold_fsck.te
+++ b/vold_fsck.te
+# Any fsck program run by vold
+type vold_fsck, domain;
+# Inherit and use pty created by android_fork_execvp_ext().
+allow vold_fsck devpts:chr_file { read write ioctl getattr };
+# Run fsck on certain block devices
+allow vold_fsck block_device:dir search;
+allow vold_fsck vold_device:blk_file rw_file_perms;
+# Allow stdin/out back to vold
+allow vold_fsck vold:fd use;
+allow vold_fsck vold:fifo_file { read write getattr };
+###
+### neverallow rules
+###
+# fsck should never be run on these block devices
+neverallow vold_fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+}:blk_file no_rw_file_perms;
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } vold_fsck:process transition;
+neverallow domain vold_fsck:process dyntransition;
+neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;