From b081cc1e050843ecb7dff687f780787ad05d6143 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Feb 2014 13:29:38 -0500
Subject: [PATCH] Remove mount-related permissions from unconfined domains.

Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te     | 5 +++++
 init.te       | 1 +
 kernel.te     | 1 +
 recovery.te   | 1 +
 unconfined.te | 1 -
 5 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 9ecb1371d..7cc7f133c 100644
--- a/domain.te
+++ b/domain.te
@@ -199,3 +199,8 @@ neverallow { domain -unconfineddomain -vold } block_device:blk_file { open read
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
 neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
diff --git a/init.te b/init.te
index bab0df369..84fbf5a0f 100644
--- a/init.te
+++ b/init.te
@@ -7,6 +7,7 @@ relabelto_domain(init)
 # add a rule to handle unlabelled mounts
 allow init unlabeled:filesystem mount;
 
+allow init fs_type:filesystem *;
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
diff --git a/kernel.te b/kernel.te
index dfc625825..106d48ec7 100644
--- a/kernel.te
+++ b/kernel.te
@@ -9,6 +9,7 @@ relabelto_domain(kernel)
 
 allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
 allow kernel unlabeled:filesystem mount;
+allow kernel fs_type:filesystem *;
 
 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;
diff --git a/recovery.te b/recovery.te
index abcf0cfd4..37d645593 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,6 +8,7 @@ allow recovery self:capability2 mac_admin;
 
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
 
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
diff --git a/unconfined.te b/unconfined.te
index 8d424f3ee..ac0de840f 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -28,7 +28,6 @@ allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
 allow unconfineddomain domain:socket_class_set *;
 allow unconfineddomain domain:ipc_class_set *;
 allow unconfineddomain domain:key *;
-allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain {fs_type -usermodehelper -proc_security}:{ chr_file file } ~{entrypoint execmod execute relabelto};
 allow unconfineddomain {dev_type -kmem_device}:{ chr_file file } ~{entrypoint execmod execute relabelto};
-- 
GitLab