From 959fdaaa25d7dbfad8a1900dfe9575f873cea649 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 9 Jan 2014 08:28:06 -0500
Subject: [PATCH] Remove unlabeled execute access from domain, add to
 appdomain.

Otherwise all domains can create/write files that are executable
by all other domains.  If I understand correctly, this should
only be necessary for app domains executing content from legacy
unlabeled userdata partitions on existing devices and zygote
and system_server mappings of dalvikcache files, so only allow
it for those domains.

If required for others, add it to the individual
domain .te file, not for all domains.

Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te           | 4 ++++
 domain.te        | 2 +-
 system_server.te | 5 +++++
 zygote.te        | 5 +++++
 4 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/app.te b/app.te
index 7d4acfb70..00af7e76d 100644
--- a/app.te
+++ b/app.te
@@ -158,6 +158,10 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
 
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file x_file_perms;
+
 ###
 ### CTS-specific rules
 ###
diff --git a/domain.te b/domain.te
index 653a50776..f5d4baed8 100644
--- a/domain.te
+++ b/domain.te
@@ -129,7 +129,7 @@ allow domain security_file:file getattr;
 # capability, it's essentially useless. This is needed to allow an app with
 # relabelto to relabel unlabeled files.
 #
-allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:file { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
diff --git a/system_server.te b/system_server.te
index 37d4cc632..22d739bd2 100644
--- a/system_server.te
+++ b/system_server.te
@@ -239,3 +239,8 @@ allow system_server fscklogs:file unlink;
 
 # For SELinuxPolicyInstallReceiver
 selinux_manage_policy(system_server)
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
diff --git a/zygote.te b/zygote.te
index 9092457e4..daa978264 100644
--- a/zygote.te
+++ b/zygote.te
@@ -50,3 +50,8 @@ allow zygote ashmem_device:chr_file execute;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };
+
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;
-- 
GitLab