From 65feafce6c72ded001619e4f6b975de095941acd Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 21 Aug 2014 16:26:23 -0700
Subject: [PATCH] tighten up neverallow rules for init binder operations
Init never uses binder, so allowing binder related operations
for init never makes sense. Disallow all binder opertions for
init.
This change expands on commit a730e50bd93cd058b271ce3a4affcc6ac75da58b,
disallowing any init binder operation, not just call operations, which
may be accidentally added by blindly running audit2allow.
Change-Id: I12547a75cf68517d54784873846bdadcb60c5112
---
domain.te | 6 +++---
servicemanager.te | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/domain.te b/domain.te
index 9ae611c6e..9e2634848 100644
--- a/domain.te
+++ b/domain.te
@@ -51,7 +51,7 @@ userdebug_or_eng(`
allow domain su:fd use;
allow domain su:unix_stream_socket { getattr getopt read write shutdown };
- binder_call(domain, su)
+ binder_call({ domain -init }, su)
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
@@ -245,9 +245,9 @@ neverallow { domain -init } proc_security:file { append write };
# No domain should be allowed to ptrace init.
neverallow domain init:process ptrace;
-# Init can't receive binder calls. If this neverallow rule is being
+# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
-neverallow domain init:binder call;
+neverallow domain init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
diff --git a/servicemanager.te b/servicemanager.te
index a92891641..d20872c61 100644
--- a/servicemanager.te
+++ b/servicemanager.te
@@ -11,7 +11,7 @@ init_daemon_domain(servicemanager)
# created by other domains. It never passes its own references
# or initiates a Binder IPC.
allow servicemanager self:binder set_context_mgr;
-allow servicemanager domain:binder transfer;
+allow servicemanager { domain -init }:binder transfer;
# Check SELinux permissions.
selinux_check_access(servicemanager)
--
GitLab