Merge "kernel: neverallow dac_{override,read_search} perms"

eb036bd0 · Treehugger Robot · Gerrit Code Review · 3355de13 · 3927086d · eb036bd0
Commit eb036bd0 authored 8 years ago by Treehugger Robot Committed by Gerrit Code Review 8 years ago
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -90,3 +90,8 @@ neverallow * kernel:process { transition dyntransition };
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
 neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };