Ensure that domain and appdomain attributes are assigned.
Prevent defining any process types without the domain attribute
so that all allow and neverallow rules written on domain are
applied to all processes.
Prevent defining any app process types without the appdomain
attribute so that all allow and neverallow rules written on
appdomain are applied to all app processes.
Change-Id: I4cb565314fd40e1e82c4360efb671b175a1ee389
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/domain.te b/domain.te
index d033d4e..9614ab3 100644
--- a/domain.te
+++ b/domain.te
@@ -400,3 +400,11 @@
# neverallow { domain -appdomain } file_type:file execmod;
neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
diff --git a/zygote.te b/zygote.te
index d2f629c..0dba9b6 100644
--- a/zygote.te
+++ b/zygote.te
@@ -64,3 +64,15 @@
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;