Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
5487ca00d4
commit
3f40d4f4b1
5 changed files with 8 additions and 2 deletions
|
|
@ -203,7 +203,7 @@ neverallow domain init:binder call;
|
|||
|
||||
# Don't allow raw read/write/open access to block_device
|
||||
# Rather force a relabel to a more specific type
|
||||
neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read write };
|
||||
neverallow { domain -kernel -init -recovery -vold } block_device:blk_file { open read write };
|
||||
|
||||
# Don't allow raw read/write/open access to generic devices.
|
||||
# Rather force a relabel to a more specific type.
|
||||
|
|
|
|||
1
init.te
1
init.te
|
|
@ -9,6 +9,7 @@ allow init unlabeled:filesystem mount;
|
|||
|
||||
allow init self:capability { sys_rawio mknod };
|
||||
|
||||
allow init dev_type:blk_file rw_file_perms;
|
||||
allow init fs_type:filesystem *;
|
||||
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
||||
allow init kernel:security load_policy;
|
||||
|
|
|
|||
|
|
@ -21,3 +21,5 @@ allow kernel self:security setcheckreqprot;
|
|||
## TODO: Investigate whether it is safe to remove these
|
||||
allow kernel self:capability { sys_rawio mknod };
|
||||
auditallow kernel self:capability { sys_rawio mknod };
|
||||
allow kernel dev_type:blk_file rw_file_perms;
|
||||
auditallow kernel dev_type:blk_file rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -10,6 +10,9 @@ allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set rela
|
|||
allow recovery unlabeled:filesystem mount;
|
||||
allow recovery fs_type:filesystem *;
|
||||
|
||||
# Required to e.g. wipe userdata/cache.
|
||||
allow recovery dev_type:blk_file rw_file_perms;
|
||||
|
||||
allow recovery self:process execmem;
|
||||
allow recovery ashmem_device:chr_file execute;
|
||||
allow recovery tmpfs:file rx_file_perms;
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
|
|||
allow unconfineddomain domain:socket_class_set *;
|
||||
allow unconfineddomain domain:ipc_class_set *;
|
||||
allow unconfineddomain domain:key *;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain {fs_type dev_type file_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
|
||||
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
||||
|
|
|
|||
Loading…
Reference in a new issue