Clean up kernel, init, and recovery domains.

Narrow the relabelto rules to a more specific type set for each domain. Drop mount permissions from the kernel domain since mounting occurs after switching to the init domain. This was likely a residual of when all processes were left in the kernel domain on a recovery boot due to the missing setcon statement in the recovery init.rc. Be consistent with unlabeled filesystems (i.e. filesystems without any matching fs_use or genfs_contexts entry) so that we can also unmount them. Add comments to note the reason for various rules. Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Clean up kernel, init, and recovery domains.
eb1bbf26 · Stephen Smalley · 4553074c · eb1bbf26 · eb1bbf26 · eb1bbf26
Commit eb1bbf26 authored 10 years ago by Stephen Smalley
--- a/init.te
+++ b/init.te
@@ -3,17 +3,30 @@ type init, domain;
 # init is unconfined.
 unconfined_domain(init)
 tmpfs_domain(init)
-# add a rule to handle unlabelled mounts
-allow init unlabeled:filesystem mount;
 allow init self:capability { sys_rawio mknod };
+# Running e2fsck or mkswap via fs_mgr.
 allow init dev_type:blk_file rw_file_perms;
+# Mounting filesystems.
 allow init fs_type:filesystem *;
-allow init {fs_type dev_type}:dir_file_class_set relabelto;
+allow init unlabeled:filesystem *;
+# restorecon and restorecon_recursive calls from init.rc files.
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+# Reload policy upon setprop selinux.reload_policy 1.
 allow init kernel:security load_policy;
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
 allow init kernel:system syslog_mod;
+# Set usermodehelpers and /proc security settings.
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;

--- a/kernel.te
+++ b/kernel.te
@@ -8,10 +8,14 @@ allow kernel init:process dyntransition;
 # The kernel is unconfined.
 unconfined_domain(kernel)
-allow kernel {fs_type dev_type}:dir_file_class_set relabelto;
+# init direct restorecon calls prior to switching to init domain
-allow kernel {file_type -system_file -exec_type}:dir_file_class_set relabelto;
+# /dev and /dev/socket
-allow kernel unlabeled:filesystem mount;
+allow kernel { device socket_device }:dir relabelto;
-allow kernel fs_type:filesystem *;
+# /dev/__properties__
+allow kernel properties_device:file relabelto;
+# /sys
+allow kernel sysfs:{ dir file lnk_file } relabelfrom;
+allow kernel sysfs_type:{ dir file lnk_file } relabelto;
 # Initial setenforce by init prior to switching to init domain.
 # We use dontaudit instead of allow to prevent a kernel spawned userspace

--- a/recovery.te
+++ b/recovery.te
@@ -5,11 +5,12 @@ unconfined_domain(recovery)
 allow recovery self:capability2 mac_admin;
-allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto;
+# Mount filesystems.
-allow recovery {fs_type file_type}:dir_file_class_set relabelto;
-allow recovery unlabeled:filesystem mount;
 allow recovery fs_type:filesystem *;
+allow recovery unlabeled:filesystem *;
+# Create and relabel files under /system.
 allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
 allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };