From 04ee5dfb80491f8493fedcd099bd4551c9503c83 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 30 Jan 2014 13:23:08 -0500 Subject: Remove MAC capabilities from unconfined domains. Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley --- recovery.te | 2 ++ 1 file changed, 2 insertions(+) (limited to 'recovery.te') diff --git a/recovery.te b/recovery.te index eb2a2b0..abcf0cf 100644 --- a/recovery.te +++ b/recovery.te @@ -4,6 +4,8 @@ allow recovery rootfs:file entrypoint; unconfined_domain(recovery) relabelto_domain(recovery) +allow recovery self:capability2 mac_admin; + allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; allow recovery unlabeled:filesystem mount; -- cgit v1.2.3