Remove unlabeled execute access from domain, add to appdomain.

Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove unlabeled execute access from domain, add to appdomain.
Otherwise all domains can create/write files that are executable by all other domains. If I understand correctly, this should only be necessary for app domains executing content from legacy unlabeled userdata partitions on existing devices and zygote and system_server mappings of dalvikcache files, so only allow it for those domains. If required for others, add it to the individual domain .te file, not for all domains. Change-Id: I6f5715eb1ecf2911e70772b9ab4e531feea18819 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
959fdaaa · Stephen Smalley · c50bf17d · 959fdaaa · 959fdaaa · 959fdaaa
Commit 959fdaaa authored 11 years ago by Stephen Smalley
--- a/app.te
+++ b/app.te
@@ -158,6 +158,10 @@ allow appdomain usbaccessory_device:chr_file { read write getattr };
 # For art.
 allow appdomain dalvikcache_data_file:file execute;
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+allow appdomain unlabeled:file x_file_perms;
 ###
 ### CTS-specific rules
 ###

--- a/domain.te
+++ b/domain.te
@@ -129,7 +129,7 @@ allow domain security_file:file getattr;
 # capability, it's essentially useless. This is needed to allow an app with
 # relabelto to relabel unlabeled files.
 #
-allow domain unlabeled:file { create_file_perms rwx_file_perms relabelfrom };
+allow domain unlabeled:file { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;

--- a/system_server.te
+++ b/system_server.te
@@ -239,3 +239,8 @@ allow system_server fscklogs:file unlink;
 # For SELinuxPolicyInstallReceiver
 selinux_manage_policy(system_server)
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow system_server unlabeled:file execute;
--- a/zygote.te
+++ b/zygote.te
@@ -50,3 +50,8 @@ allow zygote ashmem_device:chr_file execute;
 allow zygote shell_data_file:file { write getattr };
 allow zygote system_server:binder { transfer call };
 allow zygote servicemanager:binder { call };
+# For legacy unlabeled userdata on existing devices.
+# See discussion of Unlabeled files in domain.te for more information.
+# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
+allow zygote unlabeled:file execute;