From 4a12d9630ad22566bda75166e088cb05316e1934 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Fri, 1 May 2015 10:09:43 -0400 Subject: [PATCH] Ensure that domain and appdomain attributes are assigned. Prevent defining any process types without the domain attribute so that all allow and neverallow rules written on domain are applied to all processes. Prevent defining any app process types without the appdomain attribute so that all allow and neverallow rules written on appdomain are applied to all app processes. Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389 Signed-off-by: Stephen Smalley --- domain.te | 8 ++++++++ zygote.te | 12 ++++++++++++ 2 files changed, 20 insertions(+) diff --git a/domain.te b/domain.te index 44612414f..4d115fd29 100644 --- a/domain.te +++ b/domain.te @@ -401,3 +401,11 @@ neverallow domain { # neverallow { domain -appdomain } file_type:file execmod; neverallow { domain -init } proc:{ file dir } mounton; + +# Ensure that all types assigned to processes are included +# in the domain attribute, so that all allow and neverallow rules +# written on domain are applied to all processes. +# This is achieved by ensuring that it is impossible to transition +# from a domain to a non-domain type and vice versa. +neverallow domain ~domain:process { transition dyntransition }; +neverallow ~domain domain:process { transition dyntransition }; diff --git a/zygote.te b/zygote.te index d2f629ce5..0dba9b619 100644 --- a/zygote.te +++ b/zygote.te @@ -64,3 +64,15 @@ allow zygote storage_file:dir { search mounton }; # Handle --invoke-with command when launching Zygote with a wrapper command. allow zygote zygote_exec:file rx_file_perms; + +### +### neverallow rules +### + +# Ensure that all types assigned to app processes are included +# in the appdomain attribute, so that all allow and neverallow rules +# written on appdomain are applied to all app processes. +# This is achieved by ensuring that it is impossible for zygote to +# setcon (dyntransition) to any types other than those associated +# with appdomain plus system_server. +neverallow zygote ~{ appdomain system_server }:process dyntransition;