Ensure that domain and appdomain attributes are assigned.

Prevent defining any process types without the domain attribute so that all allow and neverallow rules written on domain are applied to all processes. Prevent defining any app process types without the appdomain attribute so that all allow and neverallow rules written on appdomain are applied to all app processes. Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-05-01 10:09:43 -04:00 · 2015-05-01 10:09:43 -04:00 · 4a12d9630a
commit 4a12d9630a
parent 8f821db783
2 changed files with 20 additions and 0 deletions
--- a/domain.te
+++ b/domain.te
@ -401,3 +401,11 @@ neverallow domain {
 # neverallow { domain -appdomain } file_type:file execmod;

 neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
--- a/zygote.te
+++ b/zygote.te
@ -64,3 +64,15 @@ allow zygote storage_file:dir { search mounton };

 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;