Merge "Adding a neverallow rule to prevent renaming of device and char files"

50e7d0f5 · Max Bires · Gerrit Code Review · 2ec9184e · 626f90c5 · 50e7d0f5
Commit 50e7d0f5 authored 8 years ago by Max Bires Committed by Gerrit Code Review 8 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -279,6 +279,11 @@ neverallow * init:binder *;
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.

--- a/public/init.te
+++ b/public/init.te
@@ -5,7 +5,7 @@ type init, domain, domain_deprecated, mlstrustedsubject;
 type init_exec, exec_type, file_type;
 # /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 #
 # init direct restorecon calls.

--- a/public/vold.te
+++ b/public/vold.te
@@ -64,8 +64,8 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allow vold vold_device:blk_file create_file_perms;
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.