diff options
-rw-r--r-- | domain.te | 10 | ||||
-rw-r--r-- | init.te | 2 | ||||
-rw-r--r-- | kernel.te | 5 | ||||
-rw-r--r-- | recovery.te | 4 | ||||
-rw-r--r-- | unconfined.te | 2 |
5 files changed, 22 insertions, 1 deletions
@@ -154,7 +154,17 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; ### neverallow rules ### +# Limit ability to ptrace or read sensitive /proc/pid files of processes +# with other UIDs to these whitelisted domains. +neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace; + +# Limit device node creation and raw I/O to these whitelisted domains. +neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod }; + +# No domain needs mac_override as it is unused by SELinux. neverallow domain self:capability2 mac_override; + +# Only recovery needs mac_admin to set contexts not defined in current policy. neverallow { domain -recovery } self:capability2 mac_admin; # Only init should be able to load SELinux policies. @@ -7,6 +7,8 @@ relabelto_domain(init) # add a rule to handle unlabelled mounts allow init unlabeled:filesystem mount; +allow init self:capability { sys_rawio mknod }; + allow init fs_type:filesystem *; allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; allow init kernel:security load_policy; @@ -16,3 +16,8 @@ allow kernel self:security setenforce; # Set checkreqprot by init.rc prior to switching to init domain. allow kernel self:security setcheckreqprot; + +# For operations performed by kernel or init prior to switching to init domain. +## TODO: Investigate whether it is safe to remove these +allow kernel self:capability { sys_rawio mknod }; +auditallow kernel self:capability { sys_rawio mknod }; diff --git a/recovery.te b/recovery.te index 37d6455..ea444c4 100644 --- a/recovery.te +++ b/recovery.te @@ -13,3 +13,7 @@ allow recovery fs_type:filesystem *; allow recovery self:process execmem; allow recovery ashmem_device:chr_file execute; allow recovery tmpfs:file rx_file_perms; + +## TODO: Investigate whether it is safe to remove these +allow recovery self:capability { sys_rawio mknod }; +auditallow recovery self:capability { sys_rawio mknod }; diff --git a/unconfined.te b/unconfined.te index ac0de84..8415ada 100644 --- a/unconfined.te +++ b/unconfined.te @@ -16,7 +16,7 @@ # The use of this template is discouraged. ###################################################### -allow unconfineddomain self:capability *; +allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module }; allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot }; allow unconfineddomain kernel:system *; |