diff options
author | Nick Kralevich <nnk@google.com> | 2015-03-11 12:44:27 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2015-03-11 12:48:02 -0700 |
commit | acc0842c4bed8690fe29858070215d7a74f4a44b (patch) | |
tree | b872131565b2f88d5fe9208eb66027353553a044 /system_server.te | |
parent | c01f7fd1c1569a0649703d24747ad1ddd857bc93 (diff) | |
download | android_external_sepolicy-acc0842c4bed8690fe29858070215d7a74f4a44b.tar.gz android_external_sepolicy-acc0842c4bed8690fe29858070215d7a74f4a44b.tar.bz2 android_external_sepolicy-acc0842c4bed8690fe29858070215d7a74f4a44b.zip |
system_server: neverallow blk_file read/write
With the exception of the factory reset protection block device,
don't allow system_server to read or write to any other block
devices. This helps protect against a system->root escalation
when system_server has the ability to directly minipulate raw
block devices / partitions / partition tables.
This change adds a neverallow rule, which is a compile time
assertion that no SELinux policy is written which allows this
access. No new rules are added or removed.
Change-Id: I388408423097ef7cf4950197b79d4be9d666362c
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/system_server.te b/system_server.te index ee3aa89..6630615 100644 --- a/system_server.te +++ b/system_server.te @@ -492,3 +492,8 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app # system server to dynamically load a dex file, something we do not # want to allow. neverallow system_server dex2oat_exec:file no_x_file_perms; + +# The only block device system_server should be accessing is +# the frp_block_device. This helps avoid a system_server to root +# escalation by writing to raw block devices. +neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms; |