From 3235f61aa859af1d1c3d060eb55cf1929bc6914f Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 30 May 2014 10:25:00 -0400
Subject: [PATCH] Restrict /data/security and setprop selinux.reload_policy
 access.

Remove /data/security and setprop selinux.reload_policy access
from unconfineddomain, and only add back what is needed to
init (system_server already gets the required allow rules via
the selinux_manage_policy macro).

init (via init.rc post-fs-data) originally creates /data/security
and may later restorecon it.  init also sets the property (also from
init.rc post-fs-data) to trigger a reload once /data is mounted.
The system_server (SELinuxPolicyInstallReceiver in particular) creates
subdirectories under /data/security for updates, writes files to these
subdirectories, creates the /data/security/current symlink to the update
directory, and sets the property to trigger a reload when an update bundle
is received.

Add neverallow rules to ensure that we do not allow undesired access
to security_file or security_prop.

This is only truly meaningful if the support for /data/security policies
is restored, but is harmless otherwise.

Also drop the persist.mmac property_contexts entry; it was never used in
AOSP, only in our tree (for middleware MAC) and is obsolete.

Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te            |  3 ---
 domain.te         | 17 +++++++++++++++++
 init.te           |  7 +++++++
 property_contexts |  3 ---
 unconfined.te     |  6 +++---
 5 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/app.te b/app.te
index 611675782..0049fe47d 100644
--- a/app.te
+++ b/app.te
@@ -268,9 +268,6 @@ neverallow { appdomain -unconfineddomain -system_app }
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Write to various other parts of /data.
-neverallow { appdomain -system_app -unconfineddomain }
-    security_file:dir_file_class_set
-    { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } drm_data_file:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 neverallow { appdomain -unconfineddomain } gps_data_file:dir_file_class_set
diff --git a/domain.te b/domain.te
index 5464d86f0..a53a32892 100644
--- a/domain.te
+++ b/domain.te
@@ -189,6 +189,23 @@ neverallow { domain -recovery } self:capability2 mac_admin;
 # Policy reload requires allowing this to the init domain.
 neverallow { domain -init } kernel:security load_policy;
 
+# Only init and the system_server can set selinux.reload_policy 1
+# to trigger a policy reload.
+neverallow { domain -init -system_server } security_prop:property_service set;
+
+# Only init and system_server can write to /data/security, where runtime
+# policy updates live.
+# Only init can relabel /data/security (for init.rc restorecon_recursive /data).
+neverallow { domain -init } security_file:{ dir file lnk_file } { relabelfrom relabelto };
+# Only init and system_server can create/setattr directories with this type.
+# init is for init.rc mkdir /data/security.
+# system_server is for creating subdirectories under /data/security.
+neverallow { domain -init -system_server } security_file:dir { create setattr };
+# Only system_server can create subdirectories and files under /data/security.
+neverallow { domain -system_server } security_file:dir { rename write add_name remove_name rmdir };
+neverallow { domain -system_server } security_file:file { create setattr write append unlink link rename };
+neverallow { domain -system_server } security_file:lnk_file { create setattr unlink rename };
+
 # Only init prior to switching context should be able to set enforcing mode.
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
diff --git a/init.te b/init.te
index 5397a8217..8cdc3bcb5 100644
--- a/init.te
+++ b/init.te
@@ -23,7 +23,14 @@ allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 
+# Create /data/security from init.rc post-fs-data.
+allow init security_file:dir { create setattr };
+
+# setprop selinux.reload_policy 1 from init.rc post-fs-data.
+allow init security_prop:property_service set;
+
 # Reload policy upon setprop selinux.reload_policy 1.
+r_dir_file(init, security_file)
 allow init kernel:security load_policy;
 
 # Any operation that can modify the kernel ring buffer, e.g. clear
diff --git a/property_contexts b/property_contexts
index c525c3bca..cd8be69a3 100644
--- a/property_contexts
+++ b/property_contexts
@@ -39,9 +39,6 @@ persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 
-# mmac persistent properties
-persist.mmac.			u:object_r:security_prop:s0
-
 # selinux non-persistent properties
 selinux.                u:object_r:security_prop:s0
 
diff --git a/unconfined.te b/unconfined.te
index ecfe61574..7c7fa4d99 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -29,13 +29,13 @@ allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
 allow unconfineddomain {fs_type dev_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:{ file dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:{ dir lnk_file } ~{ create write setattr relabelfrom relabelto append unlink link rename };
 allow unconfineddomain system_file:file ~{ create write setattr relabelfrom relabelto append unlink link rename entrypoint };
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type}:{ chr_file file } ~{entrypoint execmod execute relabelto};
+allow unconfineddomain {file_type -keystore_data_file -property_data_file -system_file -exec_type -security_file}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain { rootfs system_file exec_type }:file execute;
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
@@ -44,4 +44,4 @@ allow unconfineddomain port_type:socket_class_set name_bind;
 allow unconfineddomain port_type:{ tcp_socket dccp_socket } name_connect;
 allow unconfineddomain domain:peer recv;
 allow unconfineddomain { domain -init }:binder { call transfer set_context_mgr };
-allow unconfineddomain property_type:property_service set;
+allow unconfineddomain { property_type -security_prop }:property_service set;
-- 
GitLab