From 04b8a75c2f7532821a2a098a95d884931a91807c Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 19 Jun 2014 11:26:22 -0400
Subject: [PATCH] Remove write access to rootfs files.

Remove write access to rootfs files from unconfineddomain and
prevent adding it back via neverallow.  This is only applied to
regular files, as we are primarily concerned with preventing
writing to a file that can be exec'd and because creation of
directories or symlinks in the rootfs may be required for mount
point directories.

Change-Id: If2c96da03f5dd6f56de97131f6ba9eceea328721
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 3 +++
 unconfined.te | 1 +
 2 files changed, 4 insertions(+)

diff --git a/domain.te b/domain.te
index 466e48a47..787ce36dd 100644
--- a/domain.te
+++ b/domain.te
@@ -277,6 +277,9 @@ neverallow { domain -init } property_data_file:file { create setattr relabelfrom
 neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
+# Nothing should be writing to files in the rootfs.
+neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
 neverallow domain {fs_type -contextmount_type}:filesystem relabelto;
diff --git a/unconfined.te b/unconfined.te
index 97a7da19d..f3c88a093 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -70,6 +70,7 @@ allow unconfineddomain {
     -usermodehelper
     -proc_security
     -contextmount_type
+    -rootfs
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain {
-- 
GitLab