| Alfred Piccioni | 30ae427 | 2023-01-17 18:22:34 +0100 | [diff] [blame] | 1 | # Fuseblk is a Filesystem in USErspace for block device. It should only be used |
| 2 | # to mount untrusted blocks like USB drives. |
| 3 | type fuseblkd_untrusted_exec, system_file_type, exec_type, file_type; |
| 4 | type fuseblkd_untrusted, domain; |
| 5 | |
| 6 | typeattribute fuseblkd_untrusted coredomain; |
| 7 | |
| 8 | domain_auto_trans(fuseblkd_untrusted, fuseblkd_exec, fuseblkd); |
| 9 | |
| 10 | # Allow stdin/out back to vold. |
| 11 | allow fuseblkd_untrusted vold:fd use; |
| 12 | |
| 13 | # Allows fuseblk to read block devices. |
| 14 | allow fuseblkd_untrusted block_device:dir search; |
| 15 | |
| 16 | # Permissions to read dynamic partitions blocks. |
| 17 | allow fuseblkd_untrusted super_block_device:blk_file getattr; |
| 18 | |
| 19 | # Permissions to access FUSE character devices. |
| 20 | allow fuseblkd_untrusted fuse_device:chr_file { getattr open read write }; |
| 21 | |
| 22 | # Permissions to access /mnt/media_rw/. |
| 23 | allow fuseblkd_untrusted mnt_media_rw_file:dir { getattr search }; |
| 24 | allow fuseblkd_untrusted mnt_media_rw_stub_file:dir getattr; |
| 25 | |
| 26 | # Permissions to read device mappers. |
| 27 | allow fuseblkd_untrusted sysfs_dm:dir search; |
| 28 | allow fuseblkd_untrusted sysfs_dm:file { getattr open read }; |
| 29 | allow fuseblkd_untrusted dm_device:blk_file getattr; |
| 30 | |
| 31 | # Permissions to read links in tmpfs. |
| 32 | allow fuseblkd_untrusted tmpfs:lnk_file read; |
| 33 | |
| 34 | # Permissions to read loop device blocks. |
| 35 | allow fuseblkd_untrusted loop_device:blk_file getattr; |
| 36 | |
| 37 | # Permissions to access the /proc/filesystems file. |
| 38 | allow fuseblkd_untrusted proc_filesystems:file { open read getattr }; |
| 39 | |
| 40 | ### |
| 41 | ### dontaudit rules |
| 42 | ### |
| 43 | |
| 44 | # ntfs-3g wants this permission to read a fork return code, for some reason. |
| 45 | # It's unclear why, because it still reads the fork return code correctly, |
| 46 | # and nothing breaks. If enforce is set to permissive, the audit goes away. |
| 47 | dontaudit fuseblkd_untrusted self:capability sys_admin; |
| 48 | |
| 49 | ### |
| 50 | ### neverallow rules |
| 51 | ### |
| 52 | |
| 53 | # Fuseblk should never be run on block devices holding sensitive data. |
| 54 | neverallow fuseblkd_untrusted { |
| 55 | boot_block_device |
| 56 | frp_block_device |
| 57 | metadata_block_device |
| 58 | recovery_block_device |
| 59 | root_block_device |
| 60 | swap_block_device |
| 61 | system_block_device |
| 62 | userdata_block_device |
| 63 | cache_block_device |
| 64 | dm_device |
| 65 | }:blk_file no_rw_file_perms; |
| 66 | |
| 67 | # Only allow entry from vold, and only through fuseblkd_untrusted_exec binaries. |
| 68 | neverallow { domain -vold } fuseblkd_untrusted:process transition; |
| 69 | neverallow * fuseblkd_untrusted:process dyntransition; |
| 70 | neverallow fuseblkd_untrusted { file_type fs_type -fuseblkd_untrusted_exec }:file entrypoint; |
| 71 | |
| 72 | # Under no circumstances should fuseblkd_untrusted or any other fuseblk filesystem be |
| 73 | # given sys_admin access. They are fundementally untrusted, insecure filesystems. |
| 74 | # The correct solution here is to compartmentalize permissions correctly so that |
| 75 | # a smaller binary can get the required permissions. See fuseblkd.te. |
| 76 | # Similar to above, we don't need setgid or setuid permissions. |
| 77 | neverallow fuseblkd_untrusted self:capability { setgid setuid sys_admin }; |
| 78 | neverallow fuseblkd_untrusted self:global_capability_class_set { setgid setuid sys_admin }; |
| 79 | |
| 80 | # Since we can't have sys_admin permissions, we definitely can't have mount/unmount |
| 81 | # permissions, since we won't be able to use them. Same with relabel permissions. |
| 82 | neverallow fuseblkd_untrusted fuseblk:filesystem { mount unmount relabelto relabelfrom}; |