Only init should be able to load a security policy

Bug: 9859477 Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b

Only init should be able to load a security policy
2637198f · Nick Kralevich · 8a2ebe34 · 2637198f · 2637198f · 2637198f
Commit 2637198f authored 11 years ago by Nick Kralevich
--- a/app.te
+++ b/app.te
@@ -138,7 +138,7 @@ neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
 neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
 # Load security policy.
-neverallow { appdomain -unconfineddomain } kernel:security load_policy;
+neverallow appdomain kernel:security load_policy;
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }

--- a/domain.te
+++ b/domain.te
@@ -135,3 +135,10 @@ allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+###
+### neverallow rules
+###
+# Only init should be able to load SELinux policies
+neverallow { domain -init } kernel:security load_policy;
--- a/init.te
+++ b/init.te
@@ -9,3 +9,4 @@ relabelto_domain(init)
 allow init unlabeled:filesystem mount;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init kernel:security load_policy;
--- a/unconfined.te
+++ b/unconfined.te
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process *;