diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-10 16:31:04 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-02-12 11:14:16 -0500 |
commit | 5487ca00d4788de367a9d099714f6df4d86ef261 (patch) | |
tree | df70addd5d6e49779734f0562823d0fc6920bbd1 | |
parent | 3db328fd2c7d6b396a4a2f6204841a26d7783939 (diff) | |
download | android_external_sepolicy-5487ca00d4788de367a9d099714f6df4d86ef261.tar.gz android_external_sepolicy-5487ca00d4788de367a9d099714f6df4d86ef261.tar.bz2 android_external_sepolicy-5487ca00d4788de367a9d099714f6df4d86ef261.zip |
Remove several superuser capabilities from unconfined domains.
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module. It can be added back where appropriate in device
policy if using a modular kernel. No neverallow since it is device
specific.
Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | domain.te | 10 | ||||
-rw-r--r-- | init.te | 2 | ||||
-rw-r--r-- | kernel.te | 5 | ||||
-rw-r--r-- | recovery.te | 4 | ||||
-rw-r--r-- | unconfined.te | 2 |
5 files changed, 22 insertions, 1 deletions
@@ -154,7 +154,17 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ### neverallow rules ### +# Limit ability to ptrace or read sensitive /proc/pid files of processes +# with other UIDs to these whitelisted domains. +neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; + +# Limit device node creation and raw I/O to these whitelisted domains. +neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod }; + +# No domain needs mac_override as it is unused by SELinux. neverallow domain self:capability2 mac_override; + +# Only recovery needs mac_admin to set contexts not defined in current policy. neverallow { domain -recovery } self:capability2 mac_admin; # Only init should be able to load SELinux policies. @@ -7,6 +7,8 @@ relabelto_domain(init) # add a rule to handle unlabelled mounts allow init unlabeled:filesystem mount; +allow init self:capability { sys_rawio mknod }; + allow init fs_type:filesystem *; allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; allow init kernel:security load_policy; @@ -16,3 +16,8 @@ allow kernel self:security setenforce; # Set checkreqprot by init.rc prior to switching to init domain. allow kernel self:security setcheckreqprot; + +# For operations performed by kernel or init prior to switching to init domain. +## TODO: Investigate whether it is safe to remove these +allow kernel self:capability { sys_rawio mknod }; +auditallow kernel self:capability { sys_rawio mknod }; diff --git a/recovery.te b/recovery.te index 37d6455..ea444c4 100644 --- a/recovery.te +++ b/recovery.te @@ -13,3 +13,7 @@ allow recovery fs_type:filesystem *; allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; allow recovery tmpfs:file rx_file_perms; + +## TODO: Investigate whether it is safe to remove these +allow recovery self:capability { sys_rawio mknod }; +auditallow recovery self:capability { sys_rawio mknod }; diff --git a/unconfined.te b/unconfined.te index ac0de84..8415ada 100644 --- a/unconfined.te +++ b/unconfined.te @@ -16,7 +16,7 @@ # The use of this template is discouraged. ###################################################### -allow unconfineddomain self:capability *; +allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot }; allow unconfineddomain kernel:system *; |