04ee5dfb80
Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
14 lines
483 B
Text
14 lines
483 B
Text
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
type recovery, domain;
|
|
allow recovery rootfs:file entrypoint;
|
|
unconfined_domain(recovery)
|
|
relabelto_domain(recovery)
|
|
|
|
allow recovery self:capability2 mac_admin;
|
|
|
|
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
|
|
allow recovery unlabeled:filesystem mount;
|
|
|
|
allow recovery self:process execmem;
|
|
allow recovery ashmem_device:chr_file execute;
|
|
allow recovery tmpfs:file rx_file_perms;
|