Remove write access to rootfs files.

Remove write access to rootfs files from unconfineddomain and prevent adding it back via neverallow. This is only applied to regular files, as we are primarily concerned with preventing writing to a file that can be exec'd and because creation of directories or symlinks in the rootfs may be required for mount point directories. Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove write access to rootfs files.
04b8a75c · Stephen Smalley · Nick Kralevich · f3c3a1aa · 04b8a75c · 04b8a75c
Commit 04b8a75c authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -277,6 +277,9 @@ neverallow { domain -init } property_data_file:file { create setattr relabelfrom
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

+# Nothing should be writing to files in the rootfs.
+neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
 neverallow domain {fs_type -contextmount_type}:filesystem relabelto;

--- a/unconfined.te
+++ b/unconfined.te
@@ -70,6 +70,7 @@ allow unconfineddomain {
    -usermodehelper
    -proc_security
    -contextmount_type
+    -rootfs
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {