Don't grant hard link capabilities by default.

Modify create_file_perms and create_dir_perms so it doesn't have the "link" permission. This permission controls whether hard links are allowed or not on the given file label. Hard links are a common source of security bugs, and isn't something we want to support by default. Get rid of link_file_perms and move the necessary permissions into create_file_perms and create_dir_perms. Nobody is using this macro, so it's pointless to keep it around. Get rid of unlink on directories. It returns EISDIR if you attempt to do it, independent of SELinux permissions. SELinux domains which have a need for hard linking for a particular file type can add it back to their permission set on an as-needed basis. Add a compile time assertion (neverallow rule) for untrusted_app. It's particularly dangerous for untrusted_app to ever have hard link capabilities, and the neverallow rule will prevent regressions. Bug: 19953790 Change-Id: I5e9493d2bf5da460d074f0bc5ad8ba7c14dec6e0

Don't grant hard link capabilities by default.
85ce2c70 · Nick Kralevich · 6b03bbab · 85ce2c70 · 85ce2c70
Commit 85ce2c70 authored 10 years ago by Nick Kralevich
--- a/global_macros
+++ b/global_macros
@@ -25,14 +25,13 @@ define(`rx_file_perms', `{ r_file_perms x_file_perms }')
 define(`ra_file_perms', `{ r_file_perms append }')
 define(`rw_file_perms', `{ r_file_perms w_file_perms }')
 define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`link_file_perms', `{ getattr link unlink rename }')
-define(`create_file_perms', `{ create setattr rw_file_perms link_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')

 define(`r_dir_perms', `{ open getattr read search ioctl }')
 define(`w_dir_perms', `{ open search write add_name remove_name }')
 define(`ra_dir_perms', `{ r_dir_perms add_name write }')
 define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rmdir setattr rw_dir_perms link_file_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')

 define(`r_ipc_perms', `{ getattr read associate unix_read }')
 define(`w_ipc_perms', `{ write unix_write }')

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -176,3 +176,11 @@ neverallow untrusted_app property_type:property_service set;
 # never be granted to any other domain within mlstrustedsubject)
 # and untrusted_app is allowed fork permission to itself.
 neverallow untrusted_app mlstrustedsubject:process fork;
+
+# Do not allow untrusted_app to hard link to any files.
+# In particular, if untrusted_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted_app never has this
+# capability.
+neverallow untrusted_app file_type:file link;