commit 626f90c541add3560e5eb23cca6c2c9d6cebdcf4
author Max Bires <jbires@google.com> Fri Jan 20 14:26:05 2017 -0800
committer Max Bires <jbires@google.com> Mon Jan 23 15:48:53 2017 -0800
tree 88b38e0a277747fbdf86ed24300ab2592f9086f1
parent 952072b9da4997846e62317aad10dea24c6e515b

Adding a neverallow rule to prevent renaming of device and char files

This neverallow addition addresses the renaming of files in exploits in
order to bypass denied permissions. An example of a similar use case of
using mv to bypass permission denials appeared in a recent project zero
ChromeOS exploit as one of the steps in the exploit chain.
https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html

Additionally, vold and init both had permission sets that allowed them
to rename, but neither of them seem to need it. Therefore the rename
permission has also been removed from these two .te files.

Test: The device boots successfully
Change-Id: I07bbb58f058bf050f269b083e836c2c9a5bbad80

public/domain.te

diff --git a/public/domain.te b/public/domain.te
index 5c48384..09958f0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -279,6 +279,11 @@
 # Rather force a relabel to a more specific type
 neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
 
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.

public/init.te

diff --git a/public/init.te b/public/init.te
index a6fa6d7..1d984c2 100644
--- a/public/init.te
+++ b/public/init.te
@@ -5,7 +5,7 @@
 type init_exec, exec_type, file_type;
 
 # /dev/__null__ node created by init.
-allow init tmpfs:chr_file create_file_perms;
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
 #
 # init direct restorecon calls.

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 6baba08..798d542 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -64,8 +64,8 @@
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold app_data_file:dir search;
 allow vold app_data_file:file rw_file_perms;
-allow vold loop_device:blk_file create_file_perms;
-allow vold vold_device:blk_file create_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 # For vold Process::killProcessesWithOpenFiles function.