Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 83ac242fb9a01e5cd07babfcf680185c0db2ae4e^! / .
commit83ac242fb9a01e5cd07babfcf680185c0db2ae4e[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Tue Feb 07 12:41:44 2017 -0800
committerAlex Klyubin <klyubin@google.com>Tue Feb 07 23:57:53 2017 +0000
tree0ac62fe23147bfe82c7f5cd325abcf106d34b9e6
parent29dee5383e2686ae717fc9ab7e7de76563dfec72 [diff]
Move blkid policy to private

This leaves only the existence of blkid and blkid_untrusted domains as
public API. All other rules are implementation details of these
domains' policy and are thus now private.

Test: No change to policy according to sesearch, except for
      disappearance of all allow rules to do with blkid_current and
      blkid_untrusted_current (as expected).
Bug: 31364497
Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b81

diff --git a/private/blkid.te b/private/blkid.te
new file mode 100644
index 0000000..9c4cfcc
--- /dev/null
+++ b/private/blkid.te

@@ -0,0 +1,20 @@
+# blkid called from vold
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

diff --git a/private/blkid_untrusted.te b/private/blkid_untrusted.te
new file mode 100644
index 0000000..ae18e68
--- /dev/null
+++ b/private/blkid_untrusted.te

@@ -0,0 +1,35 @@
+# blkid for untrusted block devices
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

diff --git a/public/blkid.te b/public/blkid.te
index c8df183..dabe014 100644
--- a/public/blkid.te
+++ b/public/blkid.te

@@ -1,20 +1,2 @@
 # blkid called from vold
 type blkid, domain;
-type blkid_exec, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;

diff --git a/public/blkid_untrusted.te b/public/blkid_untrusted.te
index cbbbbae..4be4c0c 100644
--- a/public/blkid_untrusted.te
+++ b/public/blkid_untrusted.te

@@ -1,36 +1,2 @@
 # blkid for untrusted block devices
 type blkid_untrusted, domain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-  dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;