Prevent adding transitions to kernel or init domains.

Add neverallow rules to prohibit adding any transitions into the kernel or init domains. Rewrite the domain self:process rule to use a positive permission list and omit the transition and dyntransition permissions from this list as well as other permissions only checked when changing contexts. This should be a no-op since these permissions are only checked when changing contexts but avoids needing to exclude kernel or init from the neverallow rules. Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Prevent adding transitions to kernel or init domains.
bac4ccce · Stephen Smalley · Nick Kralevich · 718bf84b · bac4ccce · bac4ccce
Commit bac4ccce authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,23 @@ allow domain tmpfs:file { read getattr };
 allow domain tmpfs:dir r_dir_perms;

 # Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow domain self:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    getattr
+    setrlimit
+};
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;

--- a/init.te
+++ b/init.te
@@ -76,3 +76,13 @@ allow init self:process { setexec setfscreate setsockcreate };
 # Create /data/property and files within it.
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via setcon from the kernel domain,
+# never via an exec-based transition.
+neverallow { domain -kernel} init:process dyntransition;
+neverallow domain init:process transition;
+neverallow init { file_type fs_type }:file entrypoint;
--- a/kernel.te
+++ b/kernel.te
@@ -30,3 +30,11 @@ dontaudit kernel self:security setenforce;

 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow domain kernel:process { transition dyntransition };