am 75e2ef92: Restrict use of context= mount options.
* commit '75e2ef92601c485348c40cc8884839fba27046ba': Restrict use of context= mount options.
This commit is contained in:
Stephen Smalley
Android Git Automerger
commit
05dbf1ac44
4 changed files with 34 additions and 6 deletions
10
domain.te
10
domain.te
|
|
@ -259,3 +259,13 @@ neverallow { domain -init } property_data_file:file { create setattr relabelfrom
|
|||
# Only recovery should be doing writes to /system
|
||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Restrict context mounts to specific types marked with
|
||||
# the contextmount_type attribute.
|
||||
neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
|
||||
|
||||
# Ensure that context mount types are not writable, to ensure that
|
||||
# the write to /system restriction above is not bypassed via context=
|
||||
# mount to another type.
|
||||
neverallow { domain -recovery } contextmount_type:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
|
|
|||
13
init.te
13
init.te
|
|
@ -10,8 +10,17 @@ allow init self:capability { sys_rawio mknod };
|
|||
allow init dev_type:blk_file rw_file_perms;
|
||||
|
||||
# Mounting filesystems.
|
||||
allow init fs_type:filesystem *;
|
||||
allow init unlabeled:filesystem *;
|
||||
# Only allow relabelto for types used in context= mount options,
|
||||
# which should all be assigned the contextmount_type attribute.
|
||||
# This can be done in device-specific policy via type or typeattribute
|
||||
# declarations.
|
||||
allow init fs_type:filesystem ~relabelto;
|
||||
allow init unlabeled:filesystem ~relabelto;
|
||||
allow init contextmount_type:filesystem relabelto;
|
||||
|
||||
# Allow read-only access to context= mounted filesystems.
|
||||
allow init contextmount_type:dir r_dir_perms;
|
||||
allow init contextmount_type:notdevfile_class_set r_file_perms;
|
||||
|
||||
# restorecon and restorecon_recursive calls from init.rc files.
|
||||
# system/core/init.rc requires at least cache_file and data_file_type.
|
||||
|
|
|
|||
|
|
@ -17,8 +17,9 @@ recovery_only(`
|
|||
|
||||
# Mount filesystems.
|
||||
allow recovery rootfs:dir mounton;
|
||||
allow recovery fs_type:filesystem *;
|
||||
allow recovery unlabeled:filesystem *;
|
||||
allow recovery fs_type:filesystem ~relabelto;
|
||||
allow recovery unlabeled:filesystem ~relabelto;
|
||||
allow recovery contextmount_type:filesystem relabelto;
|
||||
|
||||
# Create and relabel files and directories under /system.
|
||||
allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||
|
|
|
|||
|
|
@ -48,7 +48,8 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
|
|||
allow unconfineddomain domain:socket_class_set *;
|
||||
allow unconfineddomain domain:ipc_class_set *;
|
||||
allow unconfineddomain domain:key *;
|
||||
allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain {fs_type -contextmount_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain {
|
||||
file_type
|
||||
-keystore_data_file
|
||||
|
|
@ -61,7 +62,12 @@ allow unconfineddomain {
|
|||
allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
|
||||
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain {
|
||||
fs_type
|
||||
-usermodehelper
|
||||
-proc_security
|
||||
-contextmount_type
|
||||
}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain {
|
||||
file_type
|
||||
|
|
@ -73,6 +79,8 @@ allow unconfineddomain {
|
|||
-shell_data_file
|
||||
}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain { rootfs system_file exec_type }:file execute;
|
||||
allow unconfineddomain contextmount_type:dir r_dir_perms;
|
||||
allow unconfineddomain contextmount_type:notdevfile_class_set r_file_perms;
|
||||
allow unconfineddomain node_type:node *;
|
||||
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
||||
allow unconfineddomain netif_type:netif *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue