From 0243e5cf4f8898b7acedc24efd58fdcd163e3048 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Tue, 1 Sep 2015 15:23:30 -0700
Subject: [PATCH] system_server.te: remove policy load permissions

Remove system server's permission to dynamically update SELinux
policy on the device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

Bug: 22885422
Bug: 8949824
Change-Id: I3c64d64359060561102e1587531836b69cfeef00
---
 system_server.te |  3 ---
 te_macros        | 12 ------------
 2 files changed, 15 deletions(-)

diff --git a/system_server.te b/system_server.te
index 6737783da..39a19e906 100644
--- a/system_server.te
+++ b/system_server.te
@@ -351,9 +351,6 @@ r_dir_file(system_server, fscklogs)
 allow system_server fscklogs:dir { write remove_name };
 allow system_server fscklogs:file unlink;
 
-# For SELinuxPolicyInstallReceiver
-selinux_manage_policy(system_server)
-
 # logd access, system_server inherit logd write socket
 # (urge is to deprecate this long term)
 allow system_server zygote:unix_dgram_socket write;
diff --git a/te_macros b/te_macros
index e455e6316..1936ffbc2 100644
--- a/te_macros
+++ b/te_macros
@@ -247,18 +247,6 @@ allow $1 security_file:dir r_dir_perms;
 allow $1 security_file:file r_file_perms;
 ')
 
-#####################################
-# selinux_manage_policy(domain)
-# Ability to manage policy files and
-# trigger runtime reload.
-define(`selinux_manage_policy', `
-security_access_policy($1)
-allow $1 security_file:dir create_dir_perms;
-allow $1 security_file:file create_file_perms;
-allow $1 security_file:lnk_file { create rename unlink };
-set_prop($1, security_prop)
-')
-
 #####################################
 # mmac_manage_policy(domain)
 # Ability to manage mmac policy files,
-- 
GitLab