remove "self:process ptrace" from domain, netd neverallow rules
Remove "self:process ptrace" from all SELinux enforced domains. In general, a process should never need to ptrace itself. We can add this back to more narrowly scoped domains as needed. Add a bunch of neverallow assertions to netd.te, to verify that netd never gets unexpected capabilities. Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
This commit is contained in:
parent
748fdef626
commit
9a19885c4c
@ -14,7 +14,7 @@ allow domain tmpfs:dir r_dir_perms;
|
||||
allow domain self:capability sys_nice;
|
||||
|
||||
# Intra-domain accesses.
|
||||
allow domain self:process ~{ execstack execheap };
|
||||
allow domain self:process ~{ execstack execheap ptrace };
|
||||
allow domain self:fd use;
|
||||
allow domain self:dir r_dir_perms;
|
||||
allow domain self:lnk_file r_file_perms;
|
||||
|
28
netd.te
28
netd.te
@ -3,7 +3,6 @@ type netd, domain;
|
||||
type netd_exec, exec_type, file_type;
|
||||
|
||||
init_daemon_domain(netd)
|
||||
typeattribute netd mlstrustedsubject;
|
||||
allow netd self:capability { net_admin net_raw kill };
|
||||
allow netd self:netlink_kobject_uevent_socket *;
|
||||
allow netd self:netlink_route_socket *;
|
||||
@ -52,3 +51,30 @@ allow netd dnsmasq:process signal;
|
||||
# TODO: prune this back further
|
||||
allow netd ctl_default_prop:property_service set;
|
||||
allow netd device:sock_file write;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
### netd should NEVER do any of this
|
||||
|
||||
# Block device access.
|
||||
neverallow netd dev_type:blk_file { read write };
|
||||
|
||||
# Kernel memory access.
|
||||
neverallow netd kmem_device:chr_file { read write };
|
||||
|
||||
# Setting SELinux enforcing status or booleans.
|
||||
# Conditionally allowed to system_app for SEAndroidManager.
|
||||
neverallow netd kernel:security { setenforce setbool };
|
||||
|
||||
# Load security policy.
|
||||
neverallow netd kernel:security load_policy;
|
||||
|
||||
# ptrace any other app
|
||||
neverallow netd { domain }:process ptrace;
|
||||
|
||||
# Write to /system.
|
||||
neverallow netd system_file:dir_file_class_set write;
|
||||
|
||||
# Write to files in /data/data or system files on /data
|
||||
neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
|
||||
|
Loading…
Reference in New Issue
Block a user