From 3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 11 Feb 2014 14:40:14 -0500
Subject: [PATCH] Remove block device access from unconfined domains.

Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 2 +-
 init.te       | 1 +
 kernel.te     | 2 ++
 recovery.te   | 3 +++
 unconfined.te | 2 +-
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 13ce01604..5ac6b460f 100644
--- a/domain.te
+++ b/domain.te
@@ -203,7 +203,7 @@ neverallow domain init:binder call;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/init.te b/init.te
index efce6e7d8..c05fabaa5 100644
--- a/init.te
+++ b/init.te
@@ -9,6 +9,7 @@ allow init unlabeled:filesystem mount;
 
 allow init self:capability { sys_rawio mknod };
 
+allow init dev_type:blk_file rw_file_perms;
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
diff --git a/kernel.te b/kernel.te
index af107910f..88ebc5092 100644
--- a/kernel.te
+++ b/kernel.te
@@ -21,3 +21,5 @@ allow kernel self:security setcheckreqprot;
 ## TODO: Investigate whether it is safe to remove these
 allow kernel self:capability { sys_rawio mknod };
 auditallow kernel self:capability { sys_rawio mknod };
+allow kernel dev_type:blk_file rw_file_perms;
+auditallow kernel dev_type:blk_file rw_file_perms;
diff --git a/recovery.te b/recovery.te
index ea444c4bb..b6f82c783 100644
--- a/recovery.te
+++ b/recovery.te
@@ -10,6 +10,9 @@ allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set rela
 allow recovery unlabeled:filesystem mount;
 allow recovery fs_type:filesystem *;
 
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file rw_file_perms;
+
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
diff --git a/unconfined.te b/unconfined.te
index 8415ada78..80d42b3e7 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,7 +28,7 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
-- 
GitLab