am 7adb999e: Restrict the ability to set usermodehelpers and proc security settings.

* commit '7adb999e701ee96356c506ffa93fce190791e8b7': Restrict the ability to set usermodehelpers and proc security settings.
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 08:20:50 -0800
committer: Android Git Automerger <android-git-automerger@android.com> 2013-12-06 08:20:50 -0800
commit: d5f77d7ab1c8ae22279dbe353aea70851c61ca94 (patch)
tree: 55e7defc3f207d13f453c25e53184054ccfb1d7b
parent: b96f677cf000b9db78359092a0a75a8fc75809cf (diff)
parent: 7adb999e701ee96356c506ffa93fce190791e8b7 (diff)
download: sepolicy-d5f77d7ab1c8ae22279dbe353aea70851c61ca94.tar.gz
6 files changed, 27 insertions, 1 deletions
diff --git a/domain.te b/domain.te
index cf89076..4297bad 100644
--- a/domain.te
+++ b/domain.te
@@ -142,3 +142,8 @@ neverallow domain { file_type -exec_type }:file entrypoint;
 # Ensure that nothing in userspace can access /dev/mem or /dev/kmem
 neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
 neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
+
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append write };
diff --git a/file.te b/file.te
index 9bd88c7..39d139c 100644
--- a/file.te
+++ b/file.te
@@ -4,6 +4,10 @@ type pipefs, fs_type;
 type sockfs, fs_type;
 type rootfs, fs_type;
 type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, sysfs_type;
 type qtaguid_proc, fs_type, mlstrustedobject;
 type proc_bluetooth_writable, fs_type;
 type selinuxfs, fs_type;
diff --git a/file_contexts b/file_contexts
index 7f0486d..2907183 100644
--- a/file_contexts
+++ b/file_contexts
@@ -206,6 +206,7 @@
 /sys/devices/system/cpu(/.*)?    u:object_r:sysfs_devices_system_cpu:s0
 /sys/power/wake_lock -- u:object_r:sysfs_wake_lock:s0
 /sys/power/wake_unlock -- u:object_r:sysfs_wake_lock:s0
+/sys/kernel/uevent_helper --	u:object_r:usermodehelper:s0
 #############################
 # asec containers
 /mnt/asec(/.*)?         u:object_r:asec_apk_file:s0
diff --git a/genfs_contexts b/genfs_contexts
index 2607b9d..2aed2bc 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -3,6 +3,18 @@ genfscon rootfs / u:object_r:rootfs:s0
 # proc labeling can be further refined (longest matching prefix).
 genfscon proc / u:object_r:proc:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
diff --git a/init.te b/init.te
index 93098e1..b2d99fb 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,5 @@ allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security { load_policy setenforce };
+allow init usermodehelper:file rw_file_perms;
+allow init proc_security:file rw_file_perms;
diff --git a/unconfined.te b/unconfined.te
index f6899c2..d6c8598 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -30,7 +30,9 @@ allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain file_type:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-06 08:20:50 -0800
committer	Android Git Automerger <android-git-automerger@android.com>	2013-12-06 08:20:50 -0800
commit	d5f77d7ab1c8ae22279dbe353aea70851c61ca94 (patch)
tree	55e7defc3f207d13f453c25e53184054ccfb1d7b
parent	b96f677cf000b9db78359092a0a75a8fc75809cf (diff)
parent	7adb999e701ee96356c506ffa93fce190791e8b7 (diff)
download	sepolicy-d5f77d7ab1c8ae22279dbe353aea70851c61ca94.tar.gz