From 6d0e9c8f4ee4f326b2c2851fa2851193fec33a4e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 1 Aug 2015 20:14:21 -0700
Subject: [PATCH] init.te: delete kernel load policy support

Remove the ability to dynamically update SELinux policy on the
device.

1) This functionality has never been used, so we have no idea if
it works or not.

2) If system_server is compromised, this functionality allows a
complete bypass of the SELinux policy on the device. In particular,
an attacker can force a regression of the following patch
  * https://android-review.googlesource.com/138510
see also https://code.google.com/p/android/issues/detail?id=181826

3) Dynamic policy update can be used to bypass neverallow protections
enforced in CTS, by pushing a policy to the device after certification.
Such an updated policy could bring the device out of compliance or
deliberately introduce security weaknesses.

(cherrypicked from commit e827a8ab27020be0f266a5a6083b11308fe1a349)

Bug: 22885422
Bug: 8949824
Change-Id: I802cb61fd18a452a2bb71c02fe57cfce5b7e9dc8
---
 domain.te | 5 ++---
 init.te   | 1 -
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/domain.te b/domain.te
index e7e0d7d67..2af36e811 100644
--- a/domain.te
+++ b/domain.te
@@ -209,11 +209,10 @@ neverallow domain self:capability2 mac_override;
 # Only recovery needs mac_admin to set contexts not defined in current policy.
 neverallow { domain -recovery } self:capability2 mac_admin;
 
-# Only init should be able to load SELinux policies.
+# Nobody should be able to load a new SELinux policy.
 # The first load technically occurs while still in the kernel domain,
 # but this does not trigger a denial since there is no policy yet.
-# Policy reload requires allowing this to the init domain.
-neverallow { domain -init } kernel:security load_policy;
+neverallow domain kernel:security load_policy;
 
 # Only init and the system_server can set selinux.reload_policy 1
 # to trigger a policy reload.
diff --git a/init.te b/init.te
index 437066acc..4bf40f53b 100644
--- a/init.te
+++ b/init.te
@@ -123,7 +123,6 @@ allow init security_file:dir { create setattr };
 
 # Reload policy upon setprop selinux.reload_policy 1.
 r_dir_file(init, security_file)
-allow init kernel:security load_policy;
 
 # Any operation that can modify the kernel ring buffer, e.g. clear
 # or a read that consumes the messages that were read.
-- 
GitLab