04ee5dfb80
Linux defines two capabilities for Mandatory Access Control (MAC) security modules, CAP_MAC_OVERRIDE (override MAC access restrictions) and CAP_MAC_ADMIN (allow MAC configuration or state changes). SELinux predates these capabilities and did not originally use them, but later made use of CAP_MAC_ADMIN as a way to control the ability to set security context values unknown to the currently loaded SELinux policy on files. That facility is used in Linux for e.g. livecd creation where a file security context that is being set on a generated filesystem is not known to the build host policy. Internally, files with such labels are treated as having the unlabeled security context for permission checking purposes until/unless the context is later defined through a policy reload. CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs to be allowed. CAP_MAC_ADMIN is only checked if setting an unknown security context value; the only legitimate use I can see in Android is the recovery console, where a context may need to be set on /system that is not defined in the recovery policy. Remove these capabilities from unconfined domains, allow mac_admin for the recovery domain, and add neverallow rules. Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
44 lines
2.4 KiB
Text
44 lines
2.4 KiB
Text
#######################################################
|
|
#
|
|
# This is the unconfined template. This template is the base policy
|
|
# which is used by daemons and other privileged components of
|
|
# Android.
|
|
#
|
|
# Historically, this template was called "unconfined" because it
|
|
# allowed the domain to do anything it wanted. Over time,
|
|
# this has changed, and will continue to change in the future.
|
|
# The rules in this file will be removed when no remaining
|
|
# unconfined domains require it, or when the rules contradict
|
|
# Android security best practices. Domains which need rules not
|
|
# provided by the unconfined template should add them directly to
|
|
# the relevant policy.
|
|
#
|
|
# The use of this template is discouraged.
|
|
######################################################
|
|
|
|
allow unconfineddomain self:capability *;
|
|
allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
|
|
allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
|
|
allow unconfineddomain kernel:system *;
|
|
allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
|
|
allow unconfineddomain domain:fd *;
|
|
allow unconfineddomain domain:dir r_dir_perms;
|
|
allow unconfineddomain domain:lnk_file r_file_perms;
|
|
allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
|
|
allow unconfineddomain domain:socket_class_set *;
|
|
allow unconfineddomain domain:ipc_class_set *;
|
|
allow unconfineddomain domain:key *;
|
|
allow unconfineddomain fs_type:filesystem *;
|
|
allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
|
|
allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
|
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
|
allow unconfineddomain file_type:{ chr_file file } ~{entrypoint execmod execute relabelto};
|
|
allow unconfineddomain { rootfs system_file exec_type }:file execute;
|
|
allow unconfineddomain node_type:node *;
|
|
allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
|
|
allow unconfineddomain netif_type:netif *;
|
|
allow unconfineddomain port_type:socket_class_set name_bind;
|
|
allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
|
|
allow unconfineddomain domain:peer recv;
|
|
allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
|
|
allow unconfineddomain property_type:property_service set;
|