diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-01-30 13:23:08 -0500 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-01-30 14:36:57 -0500 |
commit | 04ee5dfb80491f8493fedcd099bd4551c9503c83 (patch) | |
tree | 93b8c4a356b34db766cd84eaef6b612daad78b73 /recovery.te | |
parent | 997680a3b78db39cf442f80fd92d4eb93d0f262a (diff) | |
download | android_external_sepolicy-04ee5dfb80491f8493fedcd099bd4551c9503c83.tar.gz android_external_sepolicy-04ee5dfb80491f8493fedcd099bd4551c9503c83.tar.bz2 android_external_sepolicy-04ee5dfb80491f8493fedcd099bd4551c9503c83.zip |
Remove MAC capabilities from unconfined domains.
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.
CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.
Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.
Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'recovery.te')
-rw-r--r-- | recovery.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/recovery.te b/recovery.te index eb2a2b0..abcf0cf 100644 --- a/recovery.te +++ b/recovery.te @@ -4,6 +4,8 @@ allow recovery rootfs:file entrypoint; unconfined_domain(recovery) relabelto_domain(recovery) +allow recovery self:capability2 mac_admin; + allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; allow recovery unlabeled:filesystem mount; |