Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 9a57bf0..682831f 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1 +1,66 @@
typeattribute fsck_untrusted coredomain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+allow fsck_untrusted proc_mounts:file r_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
+
+# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
+# permissions, that is a code mistake that needs to be fixed, not a permission that
+# should be granted. Same with setgid and setuid.
+neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
+
+###
+### dontaudit rules
+###
+
+# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
+# here, but nothing bad happens if they can't, and they shouldn't be allowed.
+dontaudit fsck_untrusted sysfs:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
+dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
+
+# Ignore attempts to access tmpfs. fsck don't need to do this.
+dontaudit fsck_untrusted tmpfs:lnk_file read;