neverallow mounton lnk_file fifo_file sock_file

Add a compile time assertion that no SELinux rule exists which allows mounting on top of symbolic links, fifo files, or socket files. Remove the capability from unconfined domains. Change-Id: I6d7cc95cd17e2e5f165fa5948563800ed206bb71

neverallow mounton lnk_file fifo_file sock_file
74ddf301 · Nick Kralevich · 68a8f780 · 74ddf301 · 74ddf301
Commit 74ddf301 authored 10 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -362,3 +362,7 @@ neverallow {
 # that over time, the kernel global tables used to implement SysV IPCs will fill
 # up.
 neverallow domain domain:{ shm sem msg msgq } *;
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
--- a/unconfined.te
+++ b/unconfined.te
@@ -43,8 +43,8 @@ allow unconfineddomain domain:{
    tun_socket
 } *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain {
    file_type
    -keystore_data_file
@@ -55,7 +55,7 @@ allow unconfineddomain {
    -shell_data_file
    -app_data_file
    -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;