sepolicy: Define and allow map permission

Kernel commit 3ba4bf5f1e2c ("selinux: add a map permission check for mmap") added a map permission check on mmap so that we can distinguish memory mapped access (since it has different implications for revocation). The purpose of a separate map permission check on mmap(2) is to permit policy to prohibit memory mapping of specific files for which we need to ensure that every access is revalidated, particularly useful for scenarios where we expect the file to be relabeled at runtime in order to reflect state changes (e.g. cross-domain solution, assured pipeline without data copying). The kernel commit is anticipated to be included in Linux 4.13. This change defines map permission for the Android policy. It mirrors the definition in the kernel classmap by adding it to the common definitions for files and sockets. This will break compatibility for kernels that predate the dynamic class/perm mapping support (< 2.6.33); on such kernels, one would instead need to add map permission to the end of each file and socket access vector. This change also adds map permission to the global macro definitions for file permissions, thereby allowing it in any allow rule that uses these macros, and to specific rules allowing mapping of files from /system and executable types. This should cover most cases where it is needed, although it may still need to be added to specific allow rules when the global macros are not used. Test: Policy builds Change-Id: Iab3ccd2b6587618e68ecab58218838749fe5e7f5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

sepolicy: Define and allow map permission
4397f082 · Stephen Smalley · 90ae4f6b · 4397f082 · 4397f082 · 4397f082
Commit 4397f082 authored 7 years ago by Stephen Smalley
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -20,6 +20,7 @@ common file
 	relabelfrom
 	relabelto
 	append
+	map
 	unlink
 	link
 	rename
@@ -46,6 +47,7 @@ common socket
 	relabelfrom
 	relabelto
 	append
+	map
 # socket-specific
 	bind
 	connect

--- a/public/domain.te
+++ b/public/domain.te
@@ -94,7 +94,7 @@ write_logd(domain)
 # System file accesses.
 allow domain system_file:dir { search getattr };
-allow domain system_file:file { execute read open getattr };
+allow domain system_file:file { execute read open getattr map };
 allow domain system_file:lnk_file { getattr read };
 # read any sysfs symlinks

--- a/public/global_macros
+++ b/public/global_macros
@@ -18,9 +18,9 @@ define(`ipc_class_set', `{ sem msgq shm ipc }')
 #####################################
 # Common groupings of permissions.
 #
-define(`x_file_perms', `{ getattr execute execute_no_trans }')
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
-define(`w_file_perms', `{ open append write lock }')
+define(`w_file_perms', `{ open append write lock map }')
 define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')

--- a/public/te_macros
+++ b/public/te_macros
@@ -8,10 +8,10 @@
 #
 define(`domain_trans', `
 # Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute };
+allow $1 $2:file { getattr open read execute map };
 allow $1 $3:process transition;
 # New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr };
+allow $3 $2:file { entrypoint open read execute getattr map };
 # New domain can send SIGCHLD to its caller.
 ifelse($1, `init', `', `allow $3 $1:process sigchld;')
 # Enable AT_SECURE, i.e. libc secure mode.