diff options
author | Nick Kralevich <nnk@google.com> | 2013-07-15 17:10:35 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2013-07-15 17:16:08 -0700 |
commit | 2637198f92d5d9c65262e42d78123d216889d546 (patch) | |
tree | 207fa8e00f9e6ee2b960b26ffd080e77f591a702 | |
parent | 8a2ebe3477837b21b728135cd8780ffd528696af (diff) | |
download | sepolicy-2637198f92d5d9c65262e42d78123d216889d546.tar.gz |
Only init should be able to load a security policy
Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b
-rw-r--r-- | app.te | 2 | ||||
-rw-r--r-- | domain.te | 7 | ||||
-rw-r--r-- | init.te | 1 | ||||
-rw-r--r-- | unconfined.te | 2 |
4 files changed, 10 insertions, 2 deletions
@@ -138,7 +138,7 @@ neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write }; neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool }; # Load security policy. -neverallow { appdomain -unconfineddomain } kernel:security load_policy; +neverallow appdomain kernel:security load_policy; # Privileged netlink socket interfaces. neverallow { appdomain -unconfineddomain } @@ -135,3 +135,10 @@ allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom }; allow domain unlabeled:dir { create_dir_perms relabelfrom }; allow domain unlabeled:lnk_file { create_file_perms }; neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto; + +### +### neverallow rules +### + +# Only init should be able to load SELinux policies +neverallow { domain -init } kernel:security load_policy; @@ -9,3 +9,4 @@ relabelto_domain(init) allow init unlabeled:filesystem mount; allow init {fs_type dev_type file_type}:dir_file_class_set relabelto; +allow init kernel:security load_policy; diff --git a/unconfined.te b/unconfined.te index a3af7d7..9b1b992 100644 --- a/unconfined.te +++ b/unconfined.te @@ -1,5 +1,5 @@ allow unconfineddomain self:capability_class_set *; -allow unconfineddomain kernel:security *; +allow unconfineddomain kernel:security ~load_policy; allow unconfineddomain kernel:system *; allow unconfineddomain self:memprotect *; allow unconfineddomain domain:process *; |