sepolicy: allow cross-user unnamed pipe access
Exempt unnamed pipes from the MLS constraints so that they can
be used for cross-user communications when passed over binder or
local socket IPC.
Addresses denials such as:
avc: denied { read } for path="pipe:[59071]" dev="pipefs" ino=59071 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=fifo_file
Bug: 19087939
Change-Id: I77d494c4a38bf473fec05b728eaf253484deeaf8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/mls b/mls
index 3a64004..d5942c3 100644
--- a/mls
+++ b/mls
@@ -78,12 +78,13 @@
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
# creating process' label. Thus we also have an exemption when the "object"
-# is a MLS trusted subject and can receive data at any level.
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == mlstrustedsubject);
+ (l1 domby l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
#
# IPC constraints