| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.
CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.
Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.
Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
| |
Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.
Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.
Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it. So I retained that rule.
Tested with adb sideload.
Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
|
Define a domain for use by the recovery init.rc file for
/sbin/recovery. Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.
Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|