From 626f90c541add3560e5eb23cca6c2c9d6cebdcf4 Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Fri, 20 Jan 2017 14:26:05 -0800
Subject: [PATCH] Adding a neverallow rule to prevent renaming of device and
 char files

This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html

Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.

Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80
---
 public/domain.te | 5 +++++
 public/init.te   | 2 +-
 public/vold.te   | 4 ++--
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 5c483848f..09958f0a5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -279,6 +279,11 @@ neverallow * init:binder *;
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
diff --git a/public/init.te b/public/init.te
index a6fa6d7c8..1d984c250 100644
--- a/public/init.te
+++ b/public/init.te
@@ -5,7 +5,7 @@ type init, domain, domain_deprecated, mlstrustedsubject;
 type init_exec, exec_type, file_type;
 
 # /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
 #
 # init direct restorecon calls.
diff --git a/public/vold.te b/public/vold.te
index 6baba08da..798d542f5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -64,8 +64,8 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
-allow vold vold_device:blk_file create_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.
-- 
GitLab