Merge "kernel: neverallow dac_{override,read_search} perms"

2017-02-24 17:42:14 +00:00 · 2017-02-24 17:42:14 +00:00 · eb036bd0ee
commit eb036bd0ee
parent 3355de1398 3927086dba
1 changed files with 5 additions and 0 deletions
--- a/public/kernel.te
+++ b/public/kernel.te
@ -90,3 +90,8 @@ neverallow * kernel:process { transition dyntransition };
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
 neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };