From 64a0503831f3f6c44e350a112f5e36a4569f3e1a Mon Sep 17 00:00:00 2001
From: Luis Hector Chavez <lhchavez@google.com>
Date: Thu, 23 Feb 2017 14:40:56 -0800
Subject: [PATCH] Restrict /proc/sys/vm/mmap_rnd_bits
Label /proc/sys/vm/mmap_rnd_bits so it is only readable and writable by
init. This also tightens the neverallow restrictions for proc_security.
Bug: 33563834
Test: run cts -m CtsPermissionTestCases -t \
android.permission.cts.FileSystemPermissionTest#testProcfsMmapRndBitsExistsAndSane
Change-Id: Ie7af39ddbf23806d4ffa35e7b19d30fec7b6d410
---
private/genfs_contexts | 2 ++
public/domain.te | 2 +-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 0c5067579..d1e1b91f2 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -26,6 +26,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
diff --git a/public/domain.te b/public/domain.te
index e2c71da61..10e62b82a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -251,7 +251,7 @@ neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
# Only init should be able to configure kernel usermodehelpers or
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
--
GitLab