diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-02 14:18:11 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-02 15:59:04 -0500 |
commit | d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 (patch) | |
tree | 1c4cc818450c8a48b30cb267f3aeb7149c7a437d | |
parent | 51ce2f00c5410574015ba751b6e03fbddf12c176 (diff) | |
download | android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.gz android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.tar.bz2 android_external_sepolicy-d99e6d5fa135882bb51878a3c68ed3a2aebe7d04.zip |
Restrict the ability to set SELinux enforcing mode to init.
Also make su and shell permissive in non-user builds to allow
use of setenforce without violating the neverallow rule.
Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | Android.mk | 2 | ||||
-rw-r--r-- | domain.te | 4 | ||||
-rw-r--r-- | init.te | 2 | ||||
-rw-r--r-- | shell.te | 3 | ||||
-rw-r--r-- | shell_user.te | 8 | ||||
-rw-r--r-- | su.te | 3 | ||||
-rw-r--r-- | te_macros | 8 | ||||
-rw-r--r-- | unconfined.te | 2 |
8 files changed, 22 insertions, 10 deletions
@@ -11,8 +11,10 @@ MLS_SENS=1 MLS_CATS=1024 ifeq ($(TARGET_BUILD_VARIANT),user) + BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell.te BOARD_SEPOLICY_IGNORE+=external/sepolicy/su.te else + BOARD_SEPOLICY_IGNORE+=external/sepolicy/shell_user.te BOARD_SEPOLICY_IGNORE+=external/sepolicy/su_user.te endif @@ -131,8 +131,8 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ### neverallow rules ### -# Only init should be able to load SELinux policies -neverallow { domain -init } kernel:security load_policy; +# Only init should be able to load SELinux policies and set enforcing mode. +neverallow { domain -init } kernel:security { load_policy setenforce }; # Only init, ueventd and system_server should be able to access HW RNG neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *; @@ -8,4 +8,4 @@ relabelto_domain(init) allow init unlabeled:filesystem mount; allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; -allow init kernel:security load_policy; +allow init kernel:security { load_policy setenforce }; @@ -6,3 +6,6 @@ unconfined_domain(shell) # Run app_process. # XXX Split into its own domain? app_domain(shell) + +# shell is also permissive to permit setenforce. +permissive shell; diff --git a/shell_user.te b/shell_user.te new file mode 100644 index 0000000..8b51003 --- /dev/null +++ b/shell_user.te @@ -0,0 +1,8 @@ +# Domain for shell processes spawned by ADB +type shell, domain; +type shell_exec, exec_type, file_type; +unconfined_domain(shell) + +# Run app_process. +# XXX Split into its own domain? +app_domain(shell) @@ -4,3 +4,6 @@ domain_auto_trans(shell, su_exec, su) # su is unconfined. unconfined_domain(su) + +# su is also permissive to permit setenforce. +permissive su; @@ -250,13 +250,9 @@ allow $1 rootfs:file r_file_perms; ##################################### # selinux_manage_policy(domain) -# Ability to manage policy files, -# trigger runtime reload, change -# enforcing mode, manipulate booleans -# and access kernel logs. +# Ability to manage policy files and +# trigger runtime reload. define(`selinux_manage_policy', ` -selinux_setenforce($1) -selinux_setbool($1) security_access_policy($1) unix_socket_connect($1, property, init) allow $1 security_file:dir create_dir_perms; diff --git a/unconfined.te b/unconfined.te index 35db54f..f6899c2 100644 --- a/unconfined.te +++ b/unconfined.te @@ -17,7 +17,7 @@ ###################################################### allow unconfineddomain self:capability_class_set *; -allow unconfineddomain kernel:security ~load_policy; +allow unconfineddomain kernel:security ~{ load_policy setenforce }; allow unconfineddomain kernel:system *; allow unconfineddomain self:memprotect *; allow unconfineddomain domain:process *; |