From 025b7df2987cb086fa0f67383569414961679260 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 13 Mar 2015 17:07:39 -0400 Subject: [PATCH] sepolicy: Clean up mls constraints. Require equivalence for all write operations. We were already doing this for app_data_file as a result of restricting open rather than read/write, so this makes the model consistent across all objects and operations. It also addresses the scenario where we have mixed usage of levelFrom=all and levelFrom=user for different apps on the same device where the dominated-by (domby) relation may not be sufficiently restrictive. Drop the System V IPC constraints since System V IPC is never allowed by TE and thus these constraints are dead policy. Change-Id: Ic06a35030c086e3978c02d501c380889af8d21e0 Signed-off-by: Stephen Smalley --- mls | 34 +++++++++------------------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/mls b/mls index 474bd72bd..5589b4b55 100644 --- a/mls +++ b/mls @@ -26,9 +26,9 @@ mlsconstrain process { transition dyntransition } mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share } (l1 dom l2 or t1 == mlstrustedsubject); -# Process write operations: No write down unless trusted. +# Process write operations: Require equivalence unless trusted. mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share } - (l1 domby l2 or t1 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject); # # Socket constraints @@ -39,10 +39,10 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit mlsconstrain socket_class_set { create relabelfrom relabelto } ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject); -# Datagram send: Sender must be dominated by receiver unless one of them is -# trusted. +# Datagram send: Sender must be equivalent to the receiver unless one of them +# is trusted. mlsconstrain unix_dgram_socket { sendto } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject); # Stream connect: Client must be equivalent to server unless one of them # is trusted. @@ -83,13 +83,13 @@ mlsconstrain dir { read getattr search } mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute } (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); -# Write operations: Subject must be dominated by the object unless the +# Write operations: Subject must be equivalent to the object unless the # subject or the object is trusted. mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir } - (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename } - (t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); + (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject); # Special case for FIFOs. # These can be unnamed pipes, in which case they will be labeled with the @@ -100,23 +100,7 @@ mlsconstrain fifo_file { read getattr } (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); mlsconstrain fifo_file { write setattr append unlink link rename } - (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); - -# -# IPC constraints -# - -# Create/destroy: equivalence or trusted. -mlsconstrain ipc_class_set { create destroy } - (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject)); - -# Read ops: No read up unless trusted. -mlsconstrain ipc_class_set r_ipc_perms - (l1 dom l2 or t1 == mlstrustedsubject); - -# Write ops: No write down unless trusted. -mlsconstrain ipc_class_set w_ipc_perms - (l1 domby l2 or t1 == mlstrustedsubject); + (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain); # # Binder IPC constraints