346cae2781
Change-Id: I571731169036a3203d0145af67f45b3d9eb6366b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
52 lines
2.2 KiB
Text
52 lines
2.2 KiB
Text
# Policy assertions.
|
|
# These neverallow rules are checked by checkpolicy at policy build time.
|
|
# checkpolicy will refuse to generate the kernel policy if any of these
|
|
# assertions fail.
|
|
|
|
# Superuser capabilities.
|
|
# Only exception is sys_nice for binder, might not be necessary.
|
|
neverallow { appdomain -bluetooth } self:capability ~sys_nice;
|
|
neverallow bluetooth self:capability ~{ sys_nice net_admin };
|
|
neverallow appdomain self:capability2 *;
|
|
|
|
# Block device access.
|
|
neverallow appdomain dev_type:blk_file { read write };
|
|
|
|
# Kernel memory access.
|
|
neverallow appdomain kmem_device:chr_file { read write };
|
|
|
|
# Setting SELinux enforcing status or booleans.
|
|
# Conditionally allowed to system_app for SEAndroidManager.
|
|
neverallow { domain -unconfineddomain -system -system_app } kernel:security { setenforce setbool };
|
|
|
|
# Load security policy.
|
|
neverallow appdomain kernel:security load_policy;
|
|
|
|
# Privileged netlink socket interfaces.
|
|
neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
|
|
|
|
# Access to /proc/pid entries for any non-app domain.
|
|
# Violated by cts.te rules so commented out for now.
|
|
#neverallow appdomain { domain - appdomain }:dir search;
|
|
#neverallow appdomain { domain - appdomain }:lnk_file read;
|
|
#neverallow appdomain { domain - appdomain }:file { read write };
|
|
|
|
# ptrace access to non-app domains.
|
|
neverallow appdomain { domain -appdomain }:process ptrace;
|
|
|
|
# Transition to a non-app domain.
|
|
# Shell excluded since it has a transition to runas.
|
|
neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
|
|
|
|
# Map low memory.
|
|
neverallow appdomain self:memprotect mmap_zero;
|
|
|
|
# Write to /system.
|
|
neverallow appdomain system_file:dir_file_class_set write;
|
|
|
|
# Write to system-owned parts of /data.
|
|
# This is the default type for anything under /data not otherwise
|
|
# specified in file_contexts. Define a different type for portions
|
|
# that should be writable by apps.
|
|
# Exception for system_app for Settings.
|
|
neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;
|