Allow kernel domain, not init domain, to set SELinux enforcing mode.
As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I617876c479666a03167b8fce270c82a8d45c7cc6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Nick Kralevich
parent
2b392fccf3
commit
bf12e22514
3 changed files with 15 additions and 2 deletions
13
domain.te
13
domain.te
|
|
@ -130,8 +130,17 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
|
|||
### neverallow rules
|
||||
###
|
||||
|
||||
# Only init should be able to load SELinux policies and set enforcing mode.
|
||||
neverallow { domain -init } kernel:security { load_policy setenforce };
|
||||
# Only init should be able to load SELinux policies.
|
||||
# The first load technically occurs while still in the kernel domain,
|
||||
# but this does not trigger a denial since there is no policy yet.
|
||||
# Policy reload requires allowing this to the init domain.
|
||||
neverallow { domain -init } kernel:security load_policy;
|
||||
|
||||
# Only init prior to switching context should be able to set enforcing mode.
|
||||
# init starts in kernel domain and switches to init domain via setcon in
|
||||
# the init.rc, so the setenforce occurs while still in kernel. After
|
||||
# switching domains, there is never any need to setenforce again by init.
|
||||
neverallow { domain -kernel } kernel:security setenforce;
|
||||
|
||||
# Only init, ueventd and system_server should be able to access HW RNG
|
||||
neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;
|
||||
|
|
|
|||
1
init.te
1
init.te
|
|
@ -11,3 +11,4 @@ allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|||
allow init kernel:security { load_policy setenforce };
|
||||
allow init usermodehelper:file rw_file_perms;
|
||||
allow init proc_security:file rw_file_perms;
|
||||
allow init kernel:security load_policy;
|
||||
|
|
|
|||
|
|
@ -6,3 +6,6 @@ relabelto_domain(kernel)
|
|||
|
||||
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
||||
allow kernel unlabeled:filesystem mount;
|
||||
|
||||
# Initial setenforce by init prior to switching to init domain.
|
||||
allow kernel self:security setenforce;
|
||||
|
|
|
|||
Loading…
Reference in a new issue