From bac4ccce8f1b06ec9c25b98e6690714ba8ad7baf Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 18 Jun 2014 10:09:35 -0400
Subject: [PATCH] Prevent adding transitions to kernel or init domains.

Add neverallow rules to prohibit adding any transitions into
the kernel or init domains.  Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts.  This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.

Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 18 +++++++++++++++++-
 init.te   | 10 ++++++++++
 kernel.te |  8 ++++++++
 3 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 86c683f23..466e48a47 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,23 @@ allow domain tmpfs:file { read getattr };
 allow domain tmpfs:dir r_dir_perms;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow domain self:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    getattr
+    setrlimit
+};
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;
diff --git a/init.te b/init.te
index e4d1f88aa..3f4d706c8 100644
--- a/init.te
+++ b/init.te
@@ -76,3 +76,13 @@ allow init self:process { setexec setfscreate setsockcreate };
 # Create /data/property and files within it.
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via setcon from the kernel domain,
+# never via an exec-based transition.
+neverallow { domain -kernel} init:process dyntransition;
+neverallow domain init:process transition;
+neverallow init { file_type fs_type }:file entrypoint;
diff --git a/kernel.te b/kernel.te
index 0de0ab894..08ccbf59c 100644
--- a/kernel.te
+++ b/kernel.te
@@ -30,3 +30,11 @@ dontaudit kernel self:security setenforce;
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow domain kernel:process { transition dyntransition };
-- 
GitLab