PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Drop special handling of app_data_file in mls constraints.

Browse Source 
This was a legacy of trying to support per-app level isolation
in a compatible manner by blocking direct open but permitting
read/write via passing of open files over Binder or local sockets.
It is no longer relevant and just confusing to anyone trying to use
the mls support for anything else.

Change-Id: I6d92a7cc20bd7d2fecd2c9357e470a30f10967a3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2014-03-12 09:31:32 -04:00
parent f8479e025f
commit 27042f6da1
1 changed files with 4 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
mls
View File

@ -59,37 +59,21 @@ mlsconstrain unix_stream_socket { connectto }
mlsconstrain dir_file_class_set { create relabelfrom relabelto }
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
# Constraints for app data files only.
#
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must be equivalent to object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
(t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
(t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
(t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be dominated by the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
(t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
(t2 == app_data_file or l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
(l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the