Drop rw access to unlabeled files.

Should no longer be required due to restorecon_recursive of /data by init.rc (covers everything outside of /data/data) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Move the neverallow rule on relabelto to the neverallow section. We could potentially drop this altogether, along with the relabelto_domain macro and its callers, since its motivation was to provide some safeguard in spite of allowing relabelfrom to unlabeled files for all domains and this change removes relabelfrom. unconfined still retains rw access to unlabeled, as do specific domains that are explicitly allowed it. Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Drop rw access to unlabeled files.
Should no longer be required due to restorecon_recursive of /data by init.rc (covers everything outside of /data/data) and due to restorecon_recursive of /data/data by installd (covers /data/data directories). Move the neverallow rule on relabelto to the neverallow section. We could potentially drop this altogether, along with the relabelto_domain macro and its callers, since its motivation was to provide some safeguard in spite of allowing relabelfrom to unlabeled files for all domains and this change removes relabelfrom. unconfined still retains rw access to unlabeled, as do specific domains that are explicitly allowed it. Change-Id: Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
e69a32a1 · Stephen Smalley · 7004789d · e69a32a1
Commit e69a32a1 authored 10 years ago by Stephen Smalley
--- a/domain.te
+++ b/domain.te
@@ -142,27 +142,13 @@ allow domain security_file:lnk_file r_file_perms;
 allow domain asec_public_file:file r_file_perms;
 allow domain { asec_public_file asec_apk_file }:dir r_dir_perms;
-######## Backwards compatibility - Unlabeled files ############
-# Revert to DAC rules when looking at unlabeled files. Over time, the number
-# of unlabeled files should decrease.
-# TODO: delete these rules in the future.
-#
-# Note on relabelfrom: We allow any app relabelfrom, but without the relabelto
-# capability, it's essentially useless. This is needed to allow an app with
-# relabelto to relabel unlabeled files.
-#
-allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
-auditallow kernel unlabeled:dir ~search;
-neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ###
 ### neverallow rules
 ###
+# Limit ability to relabel files to domains marked with relabelto_domain().
+neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;