diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2013-12-06 08:20:50 -0800 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2013-12-06 08:20:50 -0800 |
commit | d5f77d7ab1c8ae22279dbe353aea70851c61ca94 (patch) | |
tree | 55e7defc3f207d13f453c25e53184054ccfb1d7b | |
parent | b96f677cf000b9db78359092a0a75a8fc75809cf (diff) | |
parent | 7adb999e701ee96356c506ffa93fce190791e8b7 (diff) | |
download | sepolicy-d5f77d7ab1c8ae22279dbe353aea70851c61ca94.tar.gz |
am 7adb999e: Restrict the ability to set usermodehelpers and proc security settings.
* commit '7adb999e701ee96356c506ffa93fce190791e8b7':
Restrict the ability to set usermodehelpers and proc security settings.
-rw-r--r-- | domain.te | 5 | ||||
-rw-r--r-- | file.te | 4 | ||||
-rw-r--r-- | file_contexts | 1 | ||||
-rw-r--r-- | genfs_contexts | 12 | ||||
-rw-r--r-- | init.te | 2 | ||||
-rw-r--r-- | unconfined.te | 4 |
6 files changed, 27 insertions, 1 deletions
@@ -142,3 +142,8 @@ neverallow domain { file_type -exec_type }:file entrypoint; # Ensure that nothing in userspace can access /dev/mem or /dev/kmem neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *; neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr }; + +# Only init should be able to configure kernel usermodehelpers or +# security-sensitive proc settings. +neverallow { domain -init } usermodehelper:file { append write }; +neverallow { domain -init } proc_security:file { append write }; @@ -4,6 +4,10 @@ type pipefs, fs_type; type sockfs, fs_type; type rootfs, fs_type; type proc, fs_type; +# Security-sensitive proc nodes that should not be writable to most. +type proc_security, fs_type; +# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers. +type usermodehelper, fs_type, sysfs_type; type qtaguid_proc, fs_type, mlstrustedobject; type proc_bluetooth_writable, fs_type; type selinuxfs, fs_type; diff --git a/file_contexts b/file_contexts index 7f0486d..2907183 100644 --- a/file_contexts +++ b/file_contexts @@ -206,6 +206,7 @@ /sys/devices/system/cpu(/.*)? u:object_r:sysfs_devices_system_cpu:s0 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0 +/sys/kernel/uevent_helper -- u:object_r:usermodehelper:s0 ############################# # asec containers /mnt/asec(/.*)? u:object_r:asec_apk_file:s0 diff --git a/genfs_contexts b/genfs_contexts index 2607b9d..2aed2bc 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -3,6 +3,18 @@ genfscon rootfs / u:object_r:rootfs:s0 # proc labeling can be further refined (longest matching prefix). genfscon proc / u:object_r:proc:s0 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0 +genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0 +genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0 +genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0 +genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0 +genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0 +genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 +genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 # selinuxfs booleans can be individually labeled. genfscon selinuxfs / u:object_r:selinuxfs:s0 genfscon cgroup / u:object_r:cgroup:s0 @@ -9,3 +9,5 @@ allow init unlabeled:filesystem mount; allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; allow init kernel:security { load_policy setenforce }; +allow init usermodehelper:file rw_file_perms; +allow init proc_security:file rw_file_perms; diff --git a/unconfined.te b/unconfined.te index f6899c2..d6c8598 100644 --- a/unconfined.te +++ b/unconfined.te @@ -30,7 +30,9 @@ allow unconfineddomain domain:ipc_class_set *; allow unconfineddomain domain:key *; allow unconfineddomain fs_type:filesystem *; allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto; -allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto}; +allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto}; +allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto}; +allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto}; allow unconfineddomain node_type:node *; allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind; allow unconfineddomain netif_type:netif *; |