From ad0d0fc722d04e465ce2b0bfd2f8e04714c75391 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 29 May 2014 09:22:16 -0400
Subject: [PATCH] Protect /data/property.

/data/property is only accessible by root and is used by the init
property service for storing persistent property values.  Create
a separate type for it and only allow init to write to the directory
and files within it.  Ensure that we do not allow access to other domains
in future changes or device-specific policy via a neverallow rule.

Change-Id: Iff556b9606c5651c0f1bba902e30b59bdd6f063a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 4 ++++
 file.te       | 2 ++
 file_contexts | 1 +
 init.te       | 4 ++++
 unconfined.te | 4 ++--
 5 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index b0d7c95d6..eebe1a5c7 100644
--- a/domain.te
+++ b/domain.te
@@ -246,3 +246,7 @@ neverallow {
     -system_server
     -zygote
 } { file_type -system_file -exec_type }:file execute;
+
+# Only the init property service should write to /data/property.
+neverallow { domain -init } property_data_file:dir { create setattr relabelfrom rename write add_name remove_name rmdir };
+neverallow { domain -init } property_data_file:file { create setattr relabelfrom write append unlink link rename };
diff --git a/file.te b/file.te
index 874f45f56..21bba2e24 100644
--- a/file.te
+++ b/file.te
@@ -64,6 +64,8 @@ type dalvikcache_profiles_data_file, file_type, data_file_type;
 type shell_data_file, file_type, data_file_type;
 # /data/gps
 type gps_data_file, file_type, data_file_type;
+# /data/property
+type property_data_file, file_type, data_file_type;
 
 # /data/misc subdirectories
 type adb_keys_file, file_type, data_file_type;
diff --git a/file_contexts b/file_contexts
index c871d95c3..fe493d3db 100644
--- a/file_contexts
+++ b/file_contexts
@@ -184,6 +184,7 @@
 /data/local/tmp(/.*)?	u:object_r:shell_data_file:s0
 /data/media(/.*)?	u:object_r:media_rw_data_file:s0
 /data/mediadrm(/.*)?	u:object_r:media_data_file:s0
+/data/property(/.*)?	u:object_r:property_data_file:s0
 
 # Misc data
 /data/misc/adb(/.*)?            u:object_r:adb_keys_file:s0
diff --git a/init.te b/init.te
index 028c46109..f0c6ac6d9 100644
--- a/init.te
+++ b/init.te
@@ -34,3 +34,7 @@ allow init keystore_data_file:file { getattr };
 # setfscreate is for labeling directories and socket files.
 # setsockcreate is for labeling local/unix domain sockets.
 allow init self:process { setexec setfscreate setsockcreate };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
diff --git a/unconfined.te b/unconfined.te
index d4009f0ac..2302279b9 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,10 +28,10 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type dev_type file_type -keystore_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type dev_type file_type -keystore_data_file -property_data_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
-- 
GitLab