From f25304ee8472c48e7cacdda10b950827017e5cf9 Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@intel.com>
Date: Mon, 14 Sep 2015 20:45:30 -0700
Subject: [PATCH] neverallow: domain:file execute and entrypoint

Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.

Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.

To prevent this, we add a neverallow.

Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 domain.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/domain.te b/domain.te
index 7324738e9..a31705084 100644
--- a/domain.te
+++ b/domain.te
@@ -537,3 +537,16 @@ neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_fi
 
 # Prevent assigning non property types to properties
 neverallow domain ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow domain domain:file { execute execute_no_trans entrypoint };
-- 
GitLab