commit 2637198f92d5d9c65262e42d78123d216889d546
author Nick Kralevich <nnk@google.com> Mon Jul 15 17:10:35 2013 -0700
committer Nick Kralevich <nnk@google.com> Mon Jul 15 17:16:08 2013 -0700
tree 207fa8e00f9e6ee2b960b26ffd080e77f591a702
parent 8a2ebe3477837b21b728135cd8780ffd528696af

Only init should be able to load a security policy

Bug: 9859477
Change-Id: Iadd26cac2f318b81701310788bed795dadfa5b6b

app.te

diff --git a/app.te b/app.te
index dd2fbe0..d90185c 100644
--- a/app.te
+++ b/app.te
@@ -138,7 +138,7 @@
 neverallow { appdomain -unconfineddomain } kernel:security { setenforce setbool };
 
 # Load security policy.
-neverallow { appdomain -unconfineddomain } kernel:security load_policy;
+neverallow appdomain kernel:security load_policy;
 
 # Privileged netlink socket interfaces.
 neverallow { appdomain -unconfineddomain }

domain.te

diff --git a/domain.te b/domain.te
index 95c2423..291c562 100644
--- a/domain.te
+++ b/domain.te
@@ -135,3 +135,10 @@
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
 allow domain unlabeled:lnk_file { create_file_perms };
 neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
+
+###
+### neverallow rules
+###
+
+# Only init should be able to load SELinux policies
+neverallow { domain -init } kernel:security load_policy;

init.te

diff --git a/init.te b/init.te
index 2cbf14d..9be5955 100644
--- a/init.te
+++ b/init.te
@@ -9,3 +9,4 @@
 allow init unlabeled:filesystem mount;
 
 allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
+allow init kernel:security load_policy;

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index a3af7d7..9b1b992 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -1,5 +1,5 @@
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security *;
+allow unconfineddomain kernel:security ~load_policy;
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
 allow unconfineddomain domain:process *;