From 526dec51d51c0903e12bcf37d19c139564ad5fc4 Mon Sep 17 00:00:00 2001 From: Luis Hector Chavez <lhchavez@google.com> Date: Thu, 23 Feb 2017 14:40:56 -0800 Subject: [PATCH] Restrict /proc/sys/vm/mmap_rnd_bits Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by init. This also tightens the neverallow restrictions for proc_security. Bug: 33563834 Test: run cts -m CtsPermissionTestCases -t \ android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410 (cherry picked from commit 64a0503831f3f6c44e350a112f5e36a4569f3e1a) --- domain.te | 2 +- genfs_contexts | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/domain.te b/domain.te index 45569de4c..023eac303 100644 --- a/domain.te +++ b/domain.te @@ -243,7 +243,7 @@ neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. neverallow { domain -init } usermodehelper:file { append write }; -neverallow { domain -init } proc_security:file { append write }; +neverallow { domain -init } proc_security:file { append open read write }; # No domain should be allowed to ptrace init. neverallow * init:process ptrace; diff --git a/genfs_contexts b/genfs_contexts index 31794a1e8..965d3f05e 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -22,6 +22,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0 -- GitLab