Restrict /data/security and setprop selinux.reload_policy access.

Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Restrict /data/security and setprop selinux.reload_policy access.
3235f61a · Stephen Smalley · e60723ab · 3235f61a · 3235f61a · 3235f61a
Commit 3235f61a authored 10 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -268,9 +268,6 @@ neverallow { appdomain -unconfineddomain -system_app }
    { create write setattr relabelfrom relabelto append unlink link rename };

 # Write to various other parts of /data.
-neverallow { appdomain -system_app -unconfineddomain }
-    security_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set

--- a/domain.te
+++ b/domain.te
@@ -189,6 +189,23 @@ neverallow { domain -recovery } self:capability2 mac_admin;
 # Policy reload requires allowing this to the init domain.
 neverallow { domain -init } kernel:security load_policy;

+# Only init and the system_server can set selinux.reload_policy 1
+# to trigger a policy reload.
+neverallow { domain -init -system_server } security_prop:property_service set;
+
+# Only init and system_server can write to /data/security, where runtime
+# policy updates live.
+# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
+neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
+# Only init and system_server can create/setattr directories with this type.
+# init is for init.rc mkdir /data/security.
+# system_server is for creating subdirectories under /data/security.
+neverallow { domain -init -system_server } security_file:dir { create setattr };
+# Only system_server can create subdirectories and files under /data/security.
+neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
+neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
+neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
+
 # Only init prior to switching context should be able to set enforcing mode.
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After

--- a/init.te
+++ b/init.te
@@ -23,7 +23,14 @@ allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };

+# Create /data/security from init.rc post-fs-data.
+allow init security_file:dir { create setattr };
+
+# setprop selinux.reload_policy 1 from init.rc post-fs-data.
+allow init security_prop:property_service set;
+
 # Reload policy upon setprop selinux.reload_policy 1.
+r_dir_file(init, security_file)
 allow init kernel:security load_policy;

 # Any operation that can modify the kernel ring buffer, e.g. clear

--- a/property_contexts
+++ b/property_contexts
@@ -39,9 +39,6 @@ persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0

-# mmac persistent properties
-persist.mmac.			u:object_r:security_prop:s0
-
 # selinux non-persistent properties
 selinux.                u:object_r:security_prop:s0


--- a/unconfined.te
+++ b/unconfined.te
@@ -29,13 +29,13 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
@@ -44,4 +44,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain property_type:property_service set;
+allow unconfineddomain { property_type -security_prop }:property_service set;