Remove domain unlabeled access.

https://android-review.googlesource.com/#/c/95900/ added allow rules for unlabeled access as needed to all confined domains. Therefore we can remove it from domain. The only other domain that truly needs unlabeled access is init, which presently inherits it from unconfineddomain. Also prevent rules that would permit any confined domain from creating new unlabeled files on the system. Change-Id: I31c6478b42fbf60e3b7893b9578b6ad50170def6 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove domain unlabeled access.
cb23ca92 · Stephen Smalley · Nick Kralevich · 6f6c4255 · cb23ca92
Commit cb23ca92 authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -143,31 +143,13 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-######## Backwards compatibility - Unlabeled files ############
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init -installd -vold -system_server } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel -installd -vold -system_server } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-auditallow installd unlabeled:dir ~{ getattr search relabelfrom rw_dir_perms rmdir };
-auditallow installd unlabeled:file ~{ r_file_perms getattr relabelfrom rename unlink setattr };
-auditallow installd unlabeled:{ lnk_file sock_file fifo_file } ~{ getattr relabelfrom rename unlink setattr };
-auditallow vold unlabeled:dir ~{ r_dir_perms setattr relabelfrom };
-auditallow vold unlabeled:file ~{ r_file_perms setattr relabelfrom };
-auditallow vold unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
-auditallow system_server unlabeled:dir ~r_dir_perms;
-auditallow system_server unlabeled:file ~r_file_perms;
-auditallow system_server unlabeled:{ lnk_file sock_file fifo_file } { create_file_perms relabelfrom };
 ###
 ### neverallow rules
 ###
+# Do not allow any confined domain to create new unlabeled files.
+neverallow { domain -unconfineddomain } unlabeled:dir_file_class_set create;
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;