Remove write access to rootfs files.
Remove write access to rootfs files from unconfineddomain and prevent adding it back via neverallow. This is only applied to regular files, as we are primarily concerned with preventing writing to a file that can be exec'd and because creation of directories or symlinks in the rootfs may be required for mount point directories. Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
Nick Kralevich
parent
f3c3a1aa33
commit
04b8a75c2f
@ -277,6 +277,9 @@ neverallow { domain -init } property_data_file:file { create setattr relabelfrom
|
||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Nothing should be writing to files in the rootfs.
|
||||
neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Restrict context mounts to specific types marked with
|
||||
# the contextmount_type attribute.
|
||||
neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
|
||||
|
||||
@ -70,6 +70,7 @@ allow unconfineddomain {
|
||||
-usermodehelper
|
||||
-proc_security
|
||||
-contextmount_type
|
||||
-rootfs
|
||||
}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
||||
allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
|
||||
allow unconfineddomain {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user