From 7a0611b00611512b43a9739b7ca4a2c1e74c6db0 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Thu, 8 Jun 2023 20:54:49 +0000 Subject: [PATCH] Remove write permission from file mode of top-level user dirs Due to the work done for b/156305599 ("Ensure no process except vold can create directories like /data/system_ce/0"), the SELinux policy now enforces that vold is the only process that can write to directories that contain per-user encrypted subdirectories. This is essential to prevent bugs where directories that are supposed to be encrypted get created too early so are not actually encrypted as intended. However, this only works when SELinux is in enforcing mode. When SELinux is in permissive mode, only DAC is enforced, and the file modes allow other processes to write to many of these directories. That allows system_server to break things once again. Therefore, remove the write bit from the file modes so that write access is always denied to processes that don't have CAP_DAC_OVERRIDE. This is not as strong a restriction as the SELinux policy, which still applies independently, but it does keep out system_server by itself. Also remove the sticky bit from /data/misc_ce and /data/misc_de, since there is no reason for it. (It probably was originally copied from /data/misc, which might need it. But misc_{ce,de} don't need it.) Bug: 285239971 Test: Booted Cuttlefish Change-Id: I1213a4d18c5f851acf213d786400d79d73777ed0 --- rootdir/init.rc | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index 0ee85c741..534436852 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -919,15 +919,22 @@ on post-fs-data # encryption policies apply recursively. These directories should never # contain any subdirectories other than the per-user ones. /data/media/obb # is an exception that exists for legacy reasons. - mkdir /data/media 0770 media_rw media_rw encryption=None - mkdir /data/misc_ce 01771 system misc encryption=None - mkdir /data/misc_de 01771 system misc encryption=None - mkdir /data/system_ce 0770 system system encryption=None - mkdir /data/system_de 0770 system system encryption=None - mkdir /data/user 0711 system system encryption=None - mkdir /data/user_de 0711 system system encryption=None - mkdir /data/vendor_ce 0771 root root encryption=None - mkdir /data/vendor_de 0771 root root encryption=None + # + # Don't use any write mode bits (0222) for any of these directories, since + # the only process that should write to them directly is vold (since it + # needs to set up file-based encryption on the subdirectories), which runs + # as root with CAP_DAC_OVERRIDE. This is also fully enforced via the + # SELinux policy. But we also set the DAC file modes accordingly, to try to + # minimize differences in behavior if SELinux is set to permissive mode. + mkdir /data/media 0550 media_rw media_rw encryption=None + mkdir /data/misc_ce 0551 system misc encryption=None + mkdir /data/misc_de 0551 system misc encryption=None + mkdir /data/system_ce 0550 system system encryption=None + mkdir /data/system_de 0550 system system encryption=None + mkdir /data/user 0511 system system encryption=None + mkdir /data/user_de 0511 system system encryption=None + mkdir /data/vendor_ce 0551 root root encryption=None + mkdir /data/vendor_de 0551 root root encryption=None # Set the casefold flag on /data/media. For upgrades, a restorecon can be # needed first to relabel the directory from media_rw_data_file.