From 9a19885c4cbb2ded4dd0833d38636e6bd2c2c802 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 12 Jul 2013 21:28:41 -0700
Subject: [PATCH] remove "self:process ptrace" from domain, netd neverallow
 rules

Remove "self:process ptrace" from all SELinux enforced domains.
In general, a process should never need to ptrace itself.
We can add this back to more narrowly scoped domains as needed.

Add a bunch of neverallow assertions to netd.te, to verify that netd
never gets unexpected capabilities.

Change-Id: Ie862dc95bec84068536bb64705667e36210c5f4e
---
 domain.te |  2 +-
 netd.te   | 28 +++++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 4cf20eadb..029179d90 100644
--- a/domain.te
+++ b/domain.te
@@ -14,7 +14,7 @@ allow domain tmpfs:dir r_dir_perms;
 allow domain self:capability sys_nice;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execstack execheap };
+allow domain self:process ~{ execstack execheap ptrace };
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
diff --git a/netd.te b/netd.te
index 9603ce3ea..8636af133 100644
--- a/netd.te
+++ b/netd.te
@@ -3,7 +3,6 @@ type netd, domain;
 type netd_exec, exec_type, file_type;
 
 init_daemon_domain(netd)
-typeattribute netd mlstrustedsubject;
 allow netd self:capability { net_admin net_raw kill };
 allow netd self:netlink_kobject_uevent_socket *;
 allow netd self:netlink_route_socket *;
@@ -52,3 +51,30 @@ allow netd dnsmasq:process signal;
 # TODO: prune this back further
 allow netd ctl_default_prop:property_service set;
 allow netd device:sock_file write;
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# Kernel memory access.
+neverallow netd kmem_device:chr_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+# Conditionally allowed to system_app for SEAndroidManager.
+neverallow netd kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow netd kernel:security load_policy;
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
-- 
GitLab