From 5487ca00d4788de367a9d099714f6df4d86ef261 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Feb 2014 16:31:04 -0500
Subject: [PATCH] Remove several superuser capabilities from unconfined
 domains.

Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 10 ++++++++++
 init.te       |  2 ++
 kernel.te     |  5 +++++
 recovery.te   |  4 ++++
 unconfined.te |  2 +-
 5 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 7cc7f133c..13ce01604 100644
--- a/domain.te
+++ b/domain.te
@@ -154,7 +154,17 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ### neverallow rules
 ###
 
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+
+# Limit device node creation and raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold } self:capability { sys_rawio mknod };
+
+# No domain needs mac_override as it is unused by SELinux.
 neverallow domain self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
 neverallow { domain -recovery } self:capability2 mac_admin;
 
 # Only init should be able to load SELinux policies.
diff --git a/init.te b/init.te
index 84fbf5a0f..efce6e7d8 100644
--- a/init.te
+++ b/init.te
@@ -7,6 +7,8 @@ relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
 
+allow init self:capability { sys_rawio mknod };
+
 allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
diff --git a/kernel.te b/kernel.te
index 106d48ec7..af107910f 100644
--- a/kernel.te
+++ b/kernel.te
@@ -16,3 +16,8 @@ allow kernel self:security setenforce;
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
+
+# For operations performed by kernel or init prior to switching to init domain.
+## TODO: Investigate whether it is safe to remove these
+allow kernel self:capability { sys_rawio mknod };
+auditallow kernel self:capability { sys_rawio mknod };
diff --git a/recovery.te b/recovery.te
index 37d645593..ea444c4bb 100644
--- a/recovery.te
+++ b/recovery.te
@@ -13,3 +13,7 @@ allow recovery fs_type:filesystem *;
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
diff --git a/unconfined.te b/unconfined.te
index ac0de840f..8415ada78 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,7 @@
 # The use of this template is discouraged.
 ######################################################
 
-allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-- 
GitLab