From e6a7b37d4c8e16dd92b2fa340a6798cb4dbe80ad Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 9 Dec 2013 13:24:25 -0500
Subject: [PATCH] Restrict mapping low memory.

Label /proc/sys/vm/mmap_min_addr with proc_security to prevent
writing it by any domain other than init.  Also remove memprotect
mmap_zero permission from unconfineddomain so that it cannot pass
the SELinux check over mapping low memory.

Change-Id: Idc189feeb325a4aea26c93396fd0fa7225e79586
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 genfs_contexts | 1 +
 unconfined.te  | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/genfs_contexts b/genfs_contexts
index 2aed2bc1c..8560e38d3 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@ genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
 genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
 genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0
diff --git a/unconfined.te b/unconfined.te
index daa684982..45c829201 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,6 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
-- 
GitLab