am 8a0c25ef: Do not allow init to execute anything without changing domains.

* commit '8a0c25ef': Do not allow init to execute anything without changing domains.

am 8a0c25ef: Do not allow init to execute anything without changing domains.
* commit '8a0c25ef': Do not allow init to execute anything without changing domains.
67b0ee2d · Stephen Smalley · Android Git Automerger · 95ee35f8 · 8a0c25ef · 67b0ee2d
Commit 67b0ee2d authored 10 years ago by Stephen Smalley Committed by Android Git Automerger 10 years ago
--- a/device.te
+++ b/device.te
@@ -73,3 +73,6 @@ type userdata_block_device, dev_type;

 # Cache block device mounted on /cache.
 type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
--- a/domain.te
+++ b/domain.te
@@ -102,6 +102,10 @@ allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
 allow domain system_file:lnk_file r_file_perms;

+# Run toolbox.
+# Kernel and init never run anything without changing domains.
+allow { domain -kernel -init } toolbox_exec:file rx_file_perms;
+
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
@@ -250,7 +254,7 @@ neverallow domain init:binder *;

 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery -fsck } block_device:blk_file { open read write };

 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

--- a/file_contexts
+++ b/file_contexts
@@ -123,6 +123,8 @@
 # System files
 #
 /system(/.*)?		u:object_r:system_file:s0
+/system/bin/e2fsck	--	u:object_r:fsck_exec:s0
+/system/bin/toolbox	--	u:object_r:toolbox_exec:s0
 /system/bin/logcat	--	u:object_r:logcat_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0

--- a/fsck.te
+++ b/fsck.te
+# e2fsck or any other fsck program run by init.
+type fsck, domain;
+type fsck_exec, exec_type, file_type;
+permissive_or_unconfined(fsck)
+
+init_daemon_domain(fsck)
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write };
+
+# Run e2fsck on block devices.
+# TODO:  Assign userdata and cache block device types to the corresponding
+# block devices in all device policies, and then remove access to
+# block_device:blk_file from here.
+allow fsck block_device:blk_file rw_file_perms;
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the e2fsck binary.
+neverallow { domain -init } fsck:process transition;
+neverallow domain fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;
--- a/init.te
+++ b/init.te
@@ -6,14 +6,8 @@ tmpfs_domain(init)

 allow init self:capability { sys_rawio mknod };

-# Run helpers from / or /system without changing domain.
-# We do not include exec_type here since generally those
-# should always involve a domain transition.
-allow init rootfs:file execute_no_trans;
-allow init system_file:file execute_no_trans;
-
-# Running e2fsck or mkswap via fs_mgr.
-allow init dev_type:blk_file rw_file_perms;
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;

 # Mounting filesystems.
 # Only allow relabelto for types used in context= mount options,
@@ -121,3 +115,6 @@ neverallow init { file_type fs_type }:file entrypoint;
 # Never read/follow symlinks created by shell or untrusted apps.
 neverallow init shell_data_file:lnk_file read;
 neverallow init app_data_file:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
--- a/toolbox.te
+++ b/toolbox.te
+# Any toolbox command run by init.
+# At present, the only known usage is for running mkswap via fs_mgr.
+# Do NOT use this domain for toolbox when run by any other domain.
+type toolbox, domain;
+type toolbox_exec, exec_type, file_type;
+permissive_or_unconfined(toolbox)
+
+init_daemon_domain(toolbox)
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow domain toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;