Only init should be able to load a security policy

Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b

4 files changed, 10 insertions, 2 deletions

diff --git a/app.te b/app.te
index dd2fbe0..d90185c 100644
--- a/app.te
+++ b/app.te
@@ -138,7 +138,7 @@ neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
 neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
 
 # Load security policy.
-neverallow { appdomain -unconfineddomain } kernel:security load_policy;
+neverallow appdomain kernel:security load_policy;
 
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }
diff --git a/domain.te b/domain.te
index 95c2423..291c562 100644
--- a/domain.te
+++ b/domain.te
@@ -135,3 +135,10 @@ allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
+###
+### neverallow rules
+###
+
+# Only init should be able to load SELinux policies
+neverallow { domain -init } kernel:security load_policy;
diff --git a/init.te b/init.te
index 2cbf14d..9be5955 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,4 @@ relabelto_domain(init)
 allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init kernel:security load_policy;
diff --git a/unconfined.te b/unconfined.te
index a3af7d7..9b1b992 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,5 +1,5 @@
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process *;