neverallow: domain execute data_file_type
To help reduce code injection paths, a neverallow is placed to prevent domain, sans untrusted_app and shell, execute on data_file_type. A few data_file_type's are also exempt from this rule as they label files that should be executable. Additional constraints, on top of the above, are placed on domains system_server and zygote. They can only execute data_file_type's of type dalvikcache_data_file. Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02 Signed-off-by: William Roberts <william.c.roberts@intel.com>
This commit is contained in:
William Roberts
William C Roberts
parent
99fe8df245
commit
7028bdccd5
3 changed files with 24 additions and 0 deletions
12
domain.te
12
domain.te
|
|
@ -304,6 +304,18 @@ neverallow {
|
|||
# Files from cache should never be executed
|
||||
neverallow domain { cache_file cache_backup_file }:file execute;
|
||||
|
||||
# Protect most domains from executing arbitrary content from /data.
|
||||
neverallow {
|
||||
domain
|
||||
-untrusted_app
|
||||
-shell
|
||||
} {
|
||||
data_file_type
|
||||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# Only the init property service should write to /data/property.
|
||||
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
|
||||
neverallow { domain -init } property_data_file:file no_w_file_perms;
|
||||
|
|
|
|||
|
|
@ -440,6 +440,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
|
|||
# want to allow.
|
||||
neverallow system_server dex2oat_exec:file no_x_file_perms;
|
||||
|
||||
# system_server should never execute anything from /data except for /data/dalvik-cache files.
|
||||
neverallow system_server {
|
||||
data_file_type
|
||||
-dalvikcache_data_file #mapping with PROT_EXEC
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# The only block device system_server should be accessing is
|
||||
# the frp_block_device. This helps avoid a system_server to root
|
||||
# escalation by writing to raw block devices.
|
||||
|
|
|
|||
|
|
@ -78,3 +78,9 @@ allow zygote zygote_exec:file rx_file_perms;
|
|||
# setcon (dyntransition) to any types other than those associated
|
||||
# with appdomain plus system_server.
|
||||
neverallow zygote ~{ appdomain system_server }:process dyntransition;
|
||||
|
||||
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
|
||||
neverallow zygote {
|
||||
data_file_type
|
||||
-dalvikcache_data_file # map PROT_EXEC
|
||||
}:file no_x_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue