Different blkid and fsck execution domains.

vold works with two broad classes of block devices: untrusted devices
that come in from the wild, and trusted devices.

When running blkid and fsck, we pick which SELinux execution domain
to use based on which class the device belongs to.

Bug: 19993667
Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5

6 files changed, 99 insertions, 45 deletions

diff --git a/blkid.te b/blkid.te
index 54f6bc2..15b6a85 100644
--- a/blkid.te
+++ b/blkid.te
@@ -2,15 +2,19 @@
 type blkid, domain;
 type blkid_exec, exec_type, file_type;
 
-# Allowed read-only access to vold block devices to extract UUID/label
+# Allowed read-only access to encrypted devices to extract UUID/label
 allow blkid block_device:dir search;
-allow blkid vold_device:blk_file r_file_perms;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
 
 # Allow stdin/out back to vold
 allow blkid vold:fd use;
 allow blkid vold:fifo_file { read write getattr };
 
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
 # Only allow entry from vold
 neverallow { domain -vold } blkid:process transition;
 neverallow domain blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec }:file entrypoint;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
new file mode 100644
index 0000000..df8e447
--- /dev/null
+++ b/blkid_untrusted.te
@@ -0,0 +1,36 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow domain blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/fsck.te b/fsck.te
index 6a3d1ee..8c1aaf3 100644
--- a/fsck.te
+++ b/fsck.te
@@ -11,10 +11,15 @@ allow fsck tmpfs:chr_file { read write ioctl };
 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck devpts:chr_file { read write ioctl getattr };
 
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
 # Run fsck on certain block devices
 allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
 
 ###
 ### neverallow rules
@@ -32,7 +37,7 @@ neverallow fsck {
   vold_device
 }:blk_file no_rw_file_perms;
 
-# Only allow entry from init via fsck binaries
-neverallow { domain -init } fsck:process transition;
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
 neverallow domain fsck:process dyntransition;
 neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
new file mode 100644
index 0000000..67c67b7
--- /dev/null
+++ b/fsck_untrusted.te
@@ -0,0 +1,36 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+  userdata_block_device
+  cache_block_device
+  dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow domain fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/vold.te b/vold.te
index c2bd064..dfdc3d9 100644
--- a/vold.te
+++ b/vold.te
@@ -6,9 +6,20 @@ init_daemon_domain(vold)
 
 # Switch to more restrictive domains when executing common tools
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, blkid_exec, blkid);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
-domain_auto_trans(vold, fsck_exec, vold_fsck);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For sgdisk launched through popen()
+allow vold shell_exec:file rx_file_perms;
 
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
@@ -58,9 +69,6 @@ allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
 allow vold self:capability { sys_ptrace kill };
 
-# For blkid and sgdisk
-allow vold shell_exec:file rx_file_perms;
-
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
diff --git a/vold_fsck.te b/vold_fsck.te
deleted file mode 100644
index e45c527..0000000
--- a/vold_fsck.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# Any fsck program run by vold
-type vold_fsck, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow vold_fsck devpts:chr_file { read write ioctl getattr };
-
-# Run fsck on certain block devices
-allow vold_fsck block_device:dir search;
-allow vold_fsck vold_device:blk_file rw_file_perms;
-
-# Allow stdin/out back to vold
-allow vold_fsck vold:fd use;
-allow vold_fsck vold:fifo_file { read write getattr };
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow vold_fsck {
-  boot_block_device
-  frp_block_device
-  metadata_block_device
-  recovery_block_device
-  root_block_device
-  swap_block_device
-  system_block_device
-  userdata_block_device
-  cache_block_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } vold_fsck:process transition;
-neverallow domain vold_fsck:process dyntransition;
-neverallow vold_fsck { file_type fs_type -fsck_exec }:file entrypoint;