Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_core / 7a0611b00611512b43a9739b7ca4a2c1e74c6db0^! / . / rootdir / init.rc
commit7a0611b00611512b43a9739b7ca4a2c1e74c6db0[log] [tgz]
authorEric Biggers <ebiggers@google.com>Thu Jun 08 20:54:49 2023 +0000
committerEric Biggers <ebiggers@google.com>Thu Jun 08 21:29:19 2023 +0000
tree92c0cca9f764782b0f6636c24e79e17b6640ba8d
parent78bb0a8548c74ae86934b58113e046862c0c0ca8 [diff] [blame]
Remove write permission from file mode of top-level user dirs

Due to the work done for b/156305599 ("Ensure no process except vold can
create directories like /data/system_ce/0"), the SELinux policy now
enforces that vold is the only process that can write to directories
that contain per-user encrypted subdirectories.  This is essential to
prevent bugs where directories that are supposed to be encrypted get
created too early so are not actually encrypted as intended.

However, this only works when SELinux is in enforcing mode.  When
SELinux is in permissive mode, only DAC is enforced, and the file modes
allow other processes to write to many of these directories.  That
allows system_server to break things once again.

Therefore, remove the write bit from the file modes so that write access
is always denied to processes that don't have CAP_DAC_OVERRIDE.  This is
not as strong a restriction as the SELinux policy, which still applies
independently, but it does keep out system_server by itself.

Also remove the sticky bit from /data/misc_ce and /data/misc_de, since
there is no reason for it.  (It probably was originally copied from
/data/misc, which might need it.  But misc_{ce,de} don't need it.)

Bug: 285239971
Test: Booted Cuttlefish
Change-Id: I1213a4d18c5f851acf213d786400d79d73777ed0

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 0ee85c7..5344368 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -919,15 +919,22 @@
     # encryption policies apply recursively.  These directories should never
     # contain any subdirectories other than the per-user ones.  /data/media/obb
     # is an exception that exists for legacy reasons.
-    mkdir /data/media 0770 media_rw media_rw encryption=None
-    mkdir /data/misc_ce 01771 system misc encryption=None
-    mkdir /data/misc_de 01771 system misc encryption=None
-    mkdir /data/system_ce 0770 system system encryption=None
-    mkdir /data/system_de 0770 system system encryption=None
-    mkdir /data/user 0711 system system encryption=None
-    mkdir /data/user_de 0711 system system encryption=None
-    mkdir /data/vendor_ce 0771 root root encryption=None
-    mkdir /data/vendor_de 0771 root root encryption=None
+    #
+    # Don't use any write mode bits (0222) for any of these directories, since
+    # the only process that should write to them directly is vold (since it
+    # needs to set up file-based encryption on the subdirectories), which runs
+    # as root with CAP_DAC_OVERRIDE.  This is also fully enforced via the
+    # SELinux policy.  But we also set the DAC file modes accordingly, to try to
+    # minimize differences in behavior if SELinux is set to permissive mode.
+    mkdir /data/media 0550 media_rw media_rw encryption=None
+    mkdir /data/misc_ce 0551 system misc encryption=None
+    mkdir /data/misc_de 0551 system misc encryption=None
+    mkdir /data/system_ce 0550 system system encryption=None
+    mkdir /data/system_de 0550 system system encryption=None
+    mkdir /data/user 0511 system system encryption=None
+    mkdir /data/user_de 0511 system system encryption=None
+    mkdir /data/vendor_ce 0551 root root encryption=None
+    mkdir /data/vendor_de 0551 root root encryption=None
 
     # Set the casefold flag on /data/media.  For upgrades, a restorecon can be
     # needed first to relabel the directory from media_rw_data_file.