From eb1bbf2632dc20e836f3d340feab548ee496e291 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 29 May 2014 14:35:55 -0400 Subject: [PATCH] Clean up kernel, init, and recovery domains. Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley --- init.te | 19 ++++++++++++++++--- kernel.te | 12 ++++++++---- recovery.te | 7 ++++--- 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/init.te b/init.te index f0e11f639..5cb947199 100644 --- a/init.te +++ b/init.te @@ -3,17 +3,30 @@ type init, domain; # init is unconfined. unconfined_domain(init) tmpfs_domain(init) -# add a rule to handle unlabelled mounts -allow init unlabeled:filesystem mount; allow init self:capability { sys_rawio mknod }; +# Running e2fsck or mkswap via fs_mgr. allow init dev_type:blk_file rw_file_perms; + +# Mounting filesystems. allow init fs_type:filesystem *; -allow init {fs_type dev_type}:dir_file_class_set relabelto; +allow init unlabeled:filesystem *; + +# restorecon and restorecon_recursive calls from init.rc files. +# system/core/init.rc requires at least cache_file and data_file_type. +# init..rc files often include device-specific types, so +# we just allow all file types except /system files here. allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; + +# Reload policy upon setprop selinux.reload_policy 1. allow init kernel:security load_policy; + +# Any operation that can modify the kernel ring buffer, e.g. clear +# or a read that consumes the messages that were read. allow init kernel:system syslog_mod; + +# Set usermodehelpers and /proc security settings. allow init usermodehelper:file rw_file_perms; allow init proc_security:file rw_file_perms; diff --git a/kernel.te b/kernel.te index b09c10648..96b57407e 100644 --- a/kernel.te +++ b/kernel.te @@ -8,10 +8,14 @@ allow kernel init:process dyntransition; # The kernel is unconfined. unconfined_domain(kernel) -allow kernel {fs_type dev_type}:dir_file_class_set relabelto; -allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto; -allow kernel unlabeled:filesystem mount; -allow kernel fs_type:filesystem *; +# init direct restorecon calls prior to switching to init domain +# /dev and /dev/socket +allow kernel { device socket_device }:dir relabelto; +# /dev/__properties__ +allow kernel properties_device:file relabelto; +# /sys +allow kernel sysfs:{ dir file lnk_file } relabelfrom; +allow kernel sysfs_type:{ dir file lnk_file } relabelto; # Initial setenforce by init prior to switching to init domain. # We use dontaudit instead of allow to prevent a kernel spawned userspace diff --git a/recovery.te b/recovery.te index 811623e62..669c1da37 100644 --- a/recovery.te +++ b/recovery.te @@ -5,11 +5,12 @@ unconfined_domain(recovery) allow recovery self:capability2 mac_admin; -allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto; -allow recovery {fs_type file_type}:dir_file_class_set relabelto; -allow recovery unlabeled:filesystem mount; +# Mount filesystems. allow recovery fs_type:filesystem *; +allow recovery unlabeled:filesystem *; + +# Create and relabel files under /system. allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename }; allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };