From 3927086dbad4f3424d64ed3aef0f34cf4ec33226 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 22 Feb 2017 14:30:47 -0800
Subject: [PATCH] kernel: neverallow dac_{override,read_search} perms

The kernel should never be accessing files owned by other users.

Disallow this access.

Test: Marlin builds. Neverallow are build time assertions,
they do not policy on the device.

Change-Id: I6ba2eb27c0e2ecf46974059588508cd3223baceb
---
 public/kernel.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/public/kernel.te b/public/kernel.te
index c404fc077..d1463dcd7 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -90,3 +90,8 @@ neverallow * kernel:process { transition dyntransition };
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
 neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };
-- 
GitLab