Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
4fce0ef97c
commit
356f4be679
1
adbd.te
1
adbd.te
@ -3,6 +3,7 @@
|
|||||||
type adbd, domain;
|
type adbd, domain;
|
||||||
|
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
|
allow adbd self:process setcurrent;
|
||||||
allow adbd su:process dyntransition;
|
allow adbd su:process dyntransition;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11,7 +11,7 @@ allow domain tmpfs:file { read getattr };
|
|||||||
allow domain tmpfs:dir r_dir_perms;
|
allow domain tmpfs:dir r_dir_perms;
|
||||||
|
|
||||||
# Intra-domain accesses.
|
# Intra-domain accesses.
|
||||||
allow domain self:process ~{ execmem execstack execheap ptrace };
|
allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
|
||||||
allow domain self:fd use;
|
allow domain self:fd use;
|
||||||
allow domain self:dir r_dir_perms;
|
allow domain self:dir r_dir_perms;
|
||||||
allow domain self:lnk_file r_file_perms;
|
allow domain self:lnk_file r_file_perms;
|
||||||
|
6
init.te
6
init.te
@ -27,3 +27,9 @@ allow init watchdogd:process transition;
|
|||||||
# the directory as part of a recursive restorecon.
|
# the directory as part of a recursive restorecon.
|
||||||
allow init keystore_data_file:dir { open create read getattr setattr search };
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
||||||
allow init keystore_data_file:file { getattr };
|
allow init keystore_data_file:file { getattr };
|
||||||
|
|
||||||
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
||||||
|
# setexec is for services with seclabel options.
|
||||||
|
# setfscreate is for labeling directories and socket files.
|
||||||
|
# setsockcreate is for labeling local/unix domain sockets.
|
||||||
|
allow init self:process { setexec setfscreate setsockcreate };
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# Life begins with the kernel.
|
# Life begins with the kernel.
|
||||||
type kernel, domain;
|
type kernel, domain;
|
||||||
|
|
||||||
|
# setcon to init domain.
|
||||||
|
allow kernel self:process setcurrent;
|
||||||
allow kernel init:process dyntransition;
|
allow kernel init:process dyntransition;
|
||||||
|
|
||||||
# The kernel is unconfined.
|
# The kernel is unconfined.
|
||||||
|
@ -15,3 +15,6 @@ allow recovery dev_type:blk_file rw_file_perms;
|
|||||||
allow recovery self:process execmem;
|
allow recovery self:process execmem;
|
||||||
allow recovery ashmem_device:chr_file execute;
|
allow recovery ashmem_device:chr_file execute;
|
||||||
allow recovery tmpfs:file rx_file_perms;
|
allow recovery tmpfs:file rx_file_perms;
|
||||||
|
|
||||||
|
# Use setfscreatecon() to label files for OTA updates.
|
||||||
|
allow recovery self:process setfscreate;
|
||||||
|
1
runas.te
1
runas.te
@ -21,4 +21,5 @@ allow runas self:capability { setuid setgid };
|
|||||||
# read /seapp_contexts and /data/security/seapp_contexts
|
# read /seapp_contexts and /data/security/seapp_contexts
|
||||||
security_access_policy(runas)
|
security_access_policy(runas)
|
||||||
selinux_check_context(runas) # validate context
|
selinux_check_context(runas) # validate context
|
||||||
|
allow runas self:process setcurrent;
|
||||||
allow runas non_system_app_set:process dyntransition; # setcon
|
allow runas non_system_app_set:process dyntransition; # setcon
|
||||||
|
@ -20,3 +20,6 @@ allow ueventd dev_type:blk_file { create setattr unlink };
|
|||||||
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
|
allow ueventd self:netlink_kobject_uevent_socket create_socket_perms;
|
||||||
allow ueventd efs_file:dir search;
|
allow ueventd efs_file:dir search;
|
||||||
allow ueventd efs_file:file r_file_perms;
|
allow ueventd efs_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Use setfscreatecon() to label /dev directories and files.
|
||||||
|
allow ueventd self:process setfscreate;
|
||||||
|
@ -9,6 +9,7 @@ allow zygote self:capability { dac_override setgid setuid fowner chown };
|
|||||||
# Drop capabilities from bounding set.
|
# Drop capabilities from bounding set.
|
||||||
allow zygote self:capability setpcap;
|
allow zygote self:capability setpcap;
|
||||||
# Switch SELinux context to app domains.
|
# Switch SELinux context to app domains.
|
||||||
|
allow zygote self:process setcurrent;
|
||||||
allow zygote system_server:process dyntransition;
|
allow zygote system_server:process dyntransition;
|
||||||
allow zygote appdomain:process dyntransition;
|
allow zygote appdomain:process dyntransition;
|
||||||
# Allow zygote to read app /proc/pid dirs (b/10455872)
|
# Allow zygote to read app /proc/pid dirs (b/10455872)
|
||||||
|
Loading…
Reference in New Issue
Block a user