Don't grant hard link capabilities by default.

Modify create_file_perms and create_dir_perms so it doesn't have
the "link" permission. This permission controls whether hard links
are allowed or not on the given file label. Hard links are a common
source of security bugs, and isn't something we want to support by
default.

Get rid of link_file_perms and move the necessary permissions into
create_file_perms and create_dir_perms. Nobody is using this macro,
so it's pointless to keep it around.

Get rid of unlink on directories. It returns EISDIR if you attempt to
do it, independent of SELinux permissions.

SELinux domains which have a need for hard linking for a particular
file type can add it back to their permission set on an as-needed basis.

Add a compile time assertion (neverallow rule) for untrusted_app.
It's particularly dangerous for untrusted_app to ever have hard
link capabilities, and the neverallow rule will prevent regressions.

Bug: 19953790
Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0
This commit is contained in:
Nick Kralevich 2015-03-26 18:18:03 -07:00
parent 6b03bbab30
commit 85ce2c706e
2 changed files with 10 additions and 3 deletions

View file

@ -25,14 +25,13 @@ define(`rx_file_perms', `{ r_file_perms x_file_perms }')
define(`ra_file_perms', `{ r_file_perms append }') define(`ra_file_perms', `{ r_file_perms append }')
define(`rw_file_perms', `{ r_file_perms w_file_perms }') define(`rw_file_perms', `{ r_file_perms w_file_perms }')
define(`rwx_file_perms', `{ rw_file_perms x_file_perms }') define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
define(`link_file_perms', `{ getattr link unlink rename }') define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
define(`r_dir_perms', `{ open getattr read search ioctl }') define(`r_dir_perms', `{ open getattr read search ioctl }')
define(`w_dir_perms', `{ open search write add_name remove_name }') define(`w_dir_perms', `{ open search write add_name remove_name }')
define(`ra_dir_perms', `{ r_dir_perms add_name write }') define(`ra_dir_perms', `{ r_dir_perms add_name write }')
define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }') define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }') define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
define(`r_ipc_perms', `{ getattr read associate unix_read }') define(`r_ipc_perms', `{ getattr read associate unix_read }')
define(`w_ipc_perms', `{ write unix_write }') define(`w_ipc_perms', `{ write unix_write }')

View file

@ -176,3 +176,11 @@ neverallow untrusted_app property_type:property_service set;
# never be granted to any other domain within mlstrustedsubject) # never be granted to any other domain within mlstrustedsubject)
# and untrusted_app is allowed fork permission to itself. # and untrusted_app is allowed fork permission to itself.
neverallow untrusted_app mlstrustedsubject:process fork; neverallow untrusted_app mlstrustedsubject:process fork;
# Do not allow untrusted_app to hard link to any files.
# In particular, if untrusted_app links to other app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure untrusted_app never has this
# capability.
neverallow untrusted_app file_type:file link;