Skip to content
Snippets Groups Projects
Commit 7028bdcc authored by William Roberts's avatar William Roberts Committed by William C Roberts
Browse files

neverallow: domain execute data_file_type 


To help reduce code injection paths, a neverallow is placed
to prevent domain, sans untrusted_app and shell, execute
on data_file_type. A few data_file_type's are also exempt
from this rule as they label files that should be executable.

Additional constraints, on top of the above, are placed on domains
system_server and zygote. They can only execute data_file_type's
of type dalvikcache_data_file.

Change-Id: I15dafbce80ba2c85a03c23128eae4725703d5f02
Signed-off-by: default avatarWilliam Roberts <william.c.roberts@intel.com>
parent 99fe8df2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
domain.te
+ 12
0
View file @ 7028bdcc
...@@ -304,6 +304,18 @@ neverallow { ...@@ -304,6 +304,18 @@ neverallow {
# Files from cache should never be executed # Files from cache should never be executed
neverallow domain { cache_file cache_backup_file }:file execute; neverallow domain { cache_file cache_backup_file }:file execute;
# Protect most domains from executing arbitrary content from /data.
neverallow {
domain
-untrusted_app
-shell
} {
data_file_type
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
# Only the init property service should write to /data/property. # Only the init property service should write to /data/property.
neverallow { domain -init } property_data_file:dir no_w_dir_perms; neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file no_w_file_perms; neverallow { domain -init } property_data_file:file no_w_file_perms;
......
system_server.te
+ 6
0
View file @ 7028bdcc
...@@ -440,6 +440,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app ...@@ -440,6 +440,12 @@ neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app
# want to allow. # want to allow.
neverallow system_server dex2oat_exec:file no_x_file_perms; neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute anything from /data except for /data/dalvik-cache files.
neverallow system_server {
data_file_type
-dalvikcache_data_file #mapping with PROT_EXEC
}:file no_x_file_perms;
# The only block device system_server should be accessing is # The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root # the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices. # escalation by writing to raw block devices.
......
zygote.te
+ 6
0
View file @ 7028bdcc
...@@ -78,3 +78,9 @@ allow zygote zygote_exec:file rx_file_perms; ...@@ -78,3 +78,9 @@ allow zygote zygote_exec:file rx_file_perms;
# setcon (dyntransition) to any types other than those associated # setcon (dyntransition) to any types other than those associated
# with appdomain plus system_server. # with appdomain plus system_server.
neverallow zygote ~{ appdomain system_server }:process dyntransition; neverallow zygote ~{ appdomain system_server }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
data_file_type
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment