From ebc3a1a34ce914654fcc4edf9a2d26bf5fa76260 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 9 Oct 2018 14:22:47 -0700
Subject: [PATCH] Move to ioctl whitelisting for plain files / directories

Remove kernel attack surface associated with ioctls on plain files. In
particular, we want to ensure that the ioctls FS_IOC_ENABLE_VERITY and
FS_IOC_MEASURE_VERITY are not exposed outside a whitelisted set of
entities. However, it's straight forward enough to turn on ioctl
whitelisting for everything, so we choose to do so.

Test: policy compiles and device boots
Test: device boots with data wipe
Test: device boots without data wipe
Change-Id: I545ae76dddaa2193890eeb1d404db79d1ffa13c2
---
 private/adbd.te       |  4 ++++
 public/domain.te      | 17 +++++++++++++++++
 public/init.te        |  6 ++++++
 public/vendor_init.te |  6 ++++++
 public/vold.te        | 10 ++++++++++
 5 files changed, 43 insertions(+)

diff --git a/private/adbd.te b/private/adbd.te
index 864358a57..685b2cc24 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -42,6 +42,10 @@ net_domain(adbd)
 # Access /dev/usb-ffs/adb/ep0
 allow adbd functionfs:dir search;
 allow adbd functionfs:file rw_file_perms;
+allowxperm adbd functionfs:file ioctl {
+  FUNCTIONFS_ENDPOINT_DESC
+  FUNCTIONFS_CLEAR_HALT
+};
 
 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 16cc09884..db0c8cbb7 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -291,6 +291,23 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # separately.
 allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
+# All domains must clearly enumerate what ioctls they use
+# on plain files and directories
+allowxperm domain { file_type fs_type }:{ dir file } ioctl { 0 };
+
+# Support sqlite F2FS specific optimizations
+# ioctl permission on the specific file type is still required
+# TODO: consider only compiling these rules if we know the
+# /data partition is F2FS
+allowxperm domain file_type:file ioctl {
+  F2FS_IOC_ABORT_VOLATILE_WRITE
+  F2FS_IOC_COMMIT_ATOMIC_WRITE
+  F2FS_IOC_GET_FEATURES
+  F2FS_IOC_GET_PIN_FILE
+  F2FS_IOC_SET_PIN_FILE
+  F2FS_IOC_START_ATOMIC_WRITE
+};
+
 # Workaround for policy compiler being too aggressive and removing hwservice_manager_type
 # when it's not explicitly used in allow rules
 allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
diff --git a/public/init.te b/public/init.te
index 18d11b6c6..215246ba9 100644
--- a/public/init.te
+++ b/public/init.te
@@ -500,6 +500,12 @@ allow init init:key { write search setattr };
 # Allow init to create /data/unencrypted
 allow init unencrypted_data_file:dir create_dir_perms;
 
+# Set encryption policy on dirs in /data
+allowxperm init data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 # Allow init to write to /proc/sys/vm/overcommit_memory
 allow init proc_overcommit_memory:file { write };
 
diff --git a/public/vendor_init.te b/public/vendor_init.te
index dfd4d8fa8..01c2f17fd 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -35,6 +35,12 @@ allow vendor_init self:global_capability_class_set { chown fowner fsetid };
 allow vendor_init unencrypted_data_file:dir search;
 allow vendor_init unencrypted_data_file:file r_file_perms;
 
+# Set encryption policy on dirs in /data
+allowxperm vendor_init data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 allow vendor_init system_data_file:dir getattr;
 
 allow vendor_init {
diff --git a/public/vold.te b/public/vold.te
index cd2d4f745..8f50e6aea 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -43,6 +43,16 @@ allow vold shell_exec:file rx_file_perms;
 # For formatting adoptable storage devices
 allow vold e2fs_exec:file rx_file_perms;
 
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get encryption policy for dirs in /data
+allowxperm vold data_file_type:dir ioctl {
+  FS_IOC_GET_ENCRYPTION_POLICY
+  FS_IOC_SET_ENCRYPTION_POLICY
+};
+
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
-- 
GitLab