From 74ddf301a086a829787ed4fd98154a86534cf5d7 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Mon, 23 Feb 2015 12:33:34 -0800 Subject: [PATCH] neverallow mounton lnk_file fifo_file sock_file Add a compile time assertion that no SELinux rule exists which allows mounting on top of symbolic links, fifo files, or socket files. Remove the capability from unconfined domains. Change-Id: I6d7cc95cd17e2e5f165fa5948563800ed206bb71 --- domain.te | 4 ++++ unconfined.te | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/domain.te b/domain.te index 731e0c494..1e3b2fb2b 100644 --- a/domain.te +++ b/domain.te @@ -362,3 +362,7 @@ neverallow { # that over time, the kernel global tables used to implement SysV IPCs will fill # up. neverallow domain domain:{ shm sem msg msgq } *; + +# Do not mount on top of symlinks, fifos, or sockets. +# Feature parity with Chromium LSM. +neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton; diff --git a/unconfined.te b/unconfined.te index d9a5b04e6..559ed593a 100644 --- a/unconfined.te +++ b/unconfined.te @@ -43,8 +43,8 @@ allow unconfineddomain domain:{ tun_socket } *; allow unconfineddomain domain:key *; -allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto; +allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; +allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; allow unconfineddomain { file_type -keystore_data_file @@ -55,7 +55,7 @@ allow unconfineddomain { -shell_data_file -app_data_file -unlabeled -}:{ dir lnk_file sock_file fifo_file } ~relabelto; +}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton }; allow unconfineddomain exec_type:dir r_dir_perms; allow unconfineddomain exec_type:file { r_file_perms execute }; allow unconfineddomain exec_type:lnk_file r_file_perms;