commit 5a5b364c54bbeb2ac032dac18e378370bd35fb45
author Jeff Sharkey <jsharkey@android.com> Tue Mar 31 08:04:46 2015 -0700
committer Jeff Sharkey <jsharkey@android.com> Tue Mar 31 08:13:20 2015 -0700
tree c79784cfec8ad50119d571de7e09faa3d0561ea4
parent 5895ffe1f72ea660652ff3d4b3e84dde598fce22

Separate fsck domains to protect userdata.

Create new vold_fsck domain that only has access to vold_block
devices to prevent any access to internal userdata.

Change-Id: I25ddcd16cbf83d7a25b70bc64d95f5345d0d5731

fsck.te

diff --git a/fsck.te b/fsck.te
index a86884c..6a3d1ee 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,4 +1,4 @@
-# Any fsck program run by init or vold
+# Any fsck program run by init
 type fsck, domain;
 type fsck_exec, exec_type, file_type;
 
@@ -15,11 +15,6 @@
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck vold_device:blk_file rw_file_perms;
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
 
 ###
 ### neverallow rules
@@ -34,9 +29,10 @@
   root_block_device
   swap_block_device
   system_block_device
+  vold_device
 }:blk_file no_rw_file_perms;
 
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
+# Only allow entry from init via fsck binaries
+neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;

vold.te

diff --git a/vold.te b/vold.te
index cde7c77..0a42b2d 100644
--- a/vold.te
+++ b/vold.te
@@ -8,7 +8,7 @@
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, fsck);
+domain_auto_trans(vold, fsck_exec, vold_fsck);
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;

vold_fsck.te

diff --git a/vold_fsck.te b/vold_fsck.te
new file mode 100644
index 0000000..e45c527
--- /dev/null
+++ b/vold_fsck.te
@@ -0,0 +1,35 @@
+# Any fsck program run by vold
+type vold_fsck, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow vold_fsck devpts:chr_file { read write ioctl getattr };
+
+# Run fsck on certain block devices
+allow vold_fsck block_device:dir search;
+allow vold_fsck vold_device:blk_file rw_file_perms;
+
+# Allow stdin/out back to vold
+allow vold_fsck vold:fd use;
+allow vold_fsck vold:fifo_file { read write getattr };
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow vold_fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } vold_fsck:process transition;
+neverallow domain vold_fsck:process dyntransition;
+neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;