Enforce assumptions around metadata_block_device Add a compile time assertion that only authorized SELinux domains are allowed to touch the metadata_block_device. This domain may be wiped at will, and we want to ensure that we're not inadvertently destroying other people's data. Test: policy compiles. Change-Id: I9854b527c3d83e17f717d6cc8a1c6b50e0e373b6

commit: 5207ca6af4eca8d41d16b4017f25ba4cf3420a99 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Dec 15 08:27:16 2016 -0800
committer: Nick Kralevich <nnk@google.com> Thu Dec 15 08:28:38 2016 -0800
tree: 1befc44cfeb89e296bd326e210d09332c81163ae
parent: 0046853f660a73648512b21153113e790d89bbf6 [diff]
diff --git a/public/domain.te b/public/domain.te
index 787bc61..c9f7f6f 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -383,6 +383,12 @@
   -ueventd # Further restricted in ueventd.te
 } frp_block_device:blk_file rw_file_perms;
 
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+  { append link rename write open read ioctl lock };
+
 # No domain other than recovery and update_engine can write to system partition(s).
 neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
commit	5207ca6af4eca8d41d16b4017f25ba4cf3420a99	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Dec 15 08:27:16 2016 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Dec 15 08:28:38 2016 -0800
tree	1befc44cfeb89e296bd326e210d09332c81163ae
parent	0046853f660a73648512b21153113e790d89bbf6 [diff]