Remove mount-related permissions from unconfined domains.

Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove mount-related permissions from unconfined domains.
b081cc1e · Stephen Smalley · Nick Kralevich · 48b18832 · b081cc1e · b081cc1e
Commit b081cc1e authored 11 years ago by Stephen Smalley Committed by Nick Kralevich 11 years ago
--- a/domain.te
+++ b/domain.te
@@ -199,3 +199,8 @@ neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
 neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
--- a/init.te
+++ b/init.te
@@ -7,6 +7,7 @@ relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
+allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;

--- a/kernel.te
+++ b/kernel.te
@@ -9,6 +9,7 @@ relabelto_domain(kernel)
 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;

--- a/recovery.te
+++ b/recovery.te
@@ -8,6 +8,7 @@ allow recovery self:capability2 mac_admin;
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;

--- a/unconfined.te
+++ b/unconfined.te
@@ -28,7 +28,6 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};