From f2c4e1283e91f7a91963d1d68a27f515027d97b4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 14 Jul 2015 11:46:30 -0700
Subject: [PATCH] neverallow service_manager / service_manager_type

Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57
---
 domain.te | 6 ++++++
 init.te   | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/domain.te b/domain.te
index eb22ec7b9..23dabf58e 100644
--- a/domain.te
+++ b/domain.te
@@ -494,3 +494,9 @@ neverallow {
   -installd
   -surfaceflinger # TODO: see if we can remove from mako sepolicy
 } shell_data_file:lnk_file read;
+
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };
diff --git a/init.te b/init.te
index 34b010cf3..9fdfd222a 100644
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@ neverallow init app_data_file:lnk_file read;
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;
-- 
GitLab