From e69a32a1a83bf71654aabb0917c4eb6e2ad4bbf3 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 8 May 2014 08:41:54 -0400
Subject: [PATCH] Drop rw access to unlabeled files.

Should no longer be required due to restorecon_recursive of /data
by init.rc (covers everything outside of /data/data) and due to
restorecon_recursive of /data/data by installd (covers /data/data
directories).

Move the neverallow rule on relabelto to the neverallow section.
We could potentially drop this altogether, along with the relabelto_domain
macro and its callers, since its motivation was to provide some
safeguard in spite of allowing relabelfrom to unlabeled files for
all domains and this change removes relabelfrom.

unconfined still retains rw access to unlabeled, as do specific domains
that are explicitly allowed it.

Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

diff --git a/domain.te b/domain.te
index f61fd1634..38ee315ff 100644
--- a/domain.te
+++ b/domain.te
@@ -142,27 +142,13 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
 
-######## Backwards compatibility - Unlabeled files ############
-
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
-# capability, it's essentially useless. This is needed to allow an app with
-# relabelto to relabel unlabeled files.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
-
 ###
 ### neverallow rules
 ###
 
+# Limit ability to relabel files to domains marked with relabelto_domain().
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
-- 
GitLab