system_server: neverallow blk_file read/write With the exception of the factory reset protection block device, don't allow system_server to read or write to any other block devices. This helps protect against a system->root escalation when system_server has the ability to directly minipulate raw block devices / partitions / partition tables. This change adds a neverallow rule, which is a compile time assertion that no SELinux policy is written which allows this access. No new rules are added or removed. Change-Id: I388408423097ef7cf4950197b79d4be9d666362c

commit: acc0842c4bed8690fe29858070215d7a74f4a44b [log] [tgz]
author: Nick Kralevich <nnk@google.com> Wed Mar 11 12:44:27 2015 -0700
committer: Nick Kralevich <nnk@google.com> Wed Mar 11 12:48:02 2015 -0700
tree: b872131565b2f88d5fe9208eb66027353553a044
parent: c01f7fd1c1569a0649703d24747ad1ddd857bc93 [diff] [blame]
diff --git a/neverallow_macros b/neverallow_macros
index 3593dd1..b36cceb 100644
--- a/neverallow_macros
+++ b/neverallow_macros

@@ -1,5 +1,6 @@
 #
 # Common neverallow permissions
 define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
 define(`no_x_file_perms', `{ execute execute_no_trans }')
 define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
commit	acc0842c4bed8690fe29858070215d7a74f4a44b	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Wed Mar 11 12:44:27 2015 -0700
committer	Nick Kralevich <nnk@google.com>	Wed Mar 11 12:48:02 2015 -0700
tree	b872131565b2f88d5fe9208eb66027353553a044
parent	c01f7fd1c1569a0649703d24747ad1ddd857bc93 [diff] [blame]