Selinux label for /mnt/encryptedstore
Create a label for the encrypted storage. encryptedstore_file & _fs
corresponding to the file & fs type.
encryptedstore process mounts the device on /mnt/encryptedstore with
fscontext & context.
microdroid_payload will have rw & related permissions on it. Also, add a
neverallow rule to deny execute permission on all domains.
encryptedstore needs relabel permission from tmpfs to
encryptedstore_file, along with mount like permissions on the later.
Bug: 261477008
Test: atest MicrodroidTests#encryptedStorageAvailable
Change-Id: Iffa1eb400f90874169d26fc2becb1dda9a1269a9
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 04a9859..6252d09 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -383,9 +383,9 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
+neverallow * { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set
{ create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
+neverallow domain { contextmount_type -authfs_fuse -encryptedstore_file }:dir_file_class_set { write unlink };
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
@@ -555,3 +555,6 @@
# These domains must not be crash dumped
neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
+
+# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
+neverallow domain encryptedstore_file:file no_x_file_perms;
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
index 522f090..5fa2e3a 100644
--- a/microdroid/system/private/encryptedstore.te
+++ b/microdroid/system/private/encryptedstore.te
@@ -31,11 +31,12 @@
allow encryptedstore sysfs_fs_ext4_features:dir search;
allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
-# encryptedstore to mount on /mnt/ directory
+# encryptedstore to mount on tmpfs bases directory (/mnt/)
allow encryptedstore tmpfs:dir { add_name create mounton write };
-# Unmount and mount filesystem
-allow encryptedstore labeledfs:filesystem { mount unmount };
+# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the later
+allow encryptedstore labeledfs:filesystem { relabelfrom };
+allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
# allow encryptedstore to log to the kernel
allow encryptedstore kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index b94571d..da54361 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow encryptedstore_file encryptedstore_fs:filesystem associate;
allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
@@ -20,3 +21,6 @@
# /system/bin/mke2fs - used to format encryptedstore block device
type e2fs_exec, system_file_type, exec_type, file_type;
+
+type encryptedstore_file, file_type;
+type encryptedstore_fs, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index ae9b095..0ccb250 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -167,3 +167,7 @@
#############################
# Directory for extra apks
/mnt/extra-apk u:object_r:extra_apk_file:s0
+
+#############################
+# Directory for encrypted storage (persistent across boot)
+/mnt/encryptedstore u:object_r:encryptedstore_file:s0
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 309210c..c1974c7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -36,7 +36,6 @@
create listen accept read getattr write setattr lock append bind
getopt setopt shutdown map
};
-neverallow microdroid_payload self:vsock_socket connect;
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)
@@ -56,3 +55,10 @@
# Allow payload to communicate with microdroid manager
unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
+
+# Payload can read, write into encrypted storage directory
+allow microdroid_payload encryptedstore_file:dir create_dir_perms;
+allow microdroid_payload encryptedstore_file:file create_file_perms;
+
+# Never allow microdroid_payload to connect to vsock
+neverallow microdroid_payload self:vsock_socket connect;