From 74ddf301a086a829787ed4fd98154a86534cf5d7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 23 Feb 2015 12:33:34 -0800
Subject: [PATCH] neverallow mounton lnk_file fifo_file sock_file

Add a compile time assertion that no SELinux rule exists which
allows mounting on top of symbolic links, fifo files, or socket
files. Remove the capability from unconfined domains.

Change-Id: I6d7cc95cd17e2e5f165fa5948563800ed206bb71
---
 domain.te     | 4 ++++
 unconfined.te | 6 +++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/domain.te b/domain.te
index 731e0c494..1e3b2fb2b 100644
--- a/domain.te
+++ b/domain.te
@@ -362,3 +362,7 @@ neverallow {
 # that over time, the kernel global tables used to implement SysV IPCs will fill
 # up.
 neverallow domain domain:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
diff --git a/unconfined.te b/unconfined.te
index d9a5b04e6..559ed593a 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -43,8 +43,8 @@ allow unconfineddomain domain:{
     tun_socket
 } *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~relabelto;
+allow unconfineddomain {fs_type -contextmount_type -sdcard_type}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
+allow unconfineddomain dev_type:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain {
     file_type
     -keystore_data_file
@@ -55,7 +55,7 @@ allow unconfineddomain {
     -shell_data_file
     -app_data_file
     -unlabeled
-}:{ dir lnk_file sock_file fifo_file } ~relabelto;
+}:{ dir lnk_file sock_file fifo_file } ~{ relabelto mounton };
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute };
 allow unconfineddomain exec_type:lnk_file r_file_perms;
-- 
GitLab