Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8b51674b2d2588c97ee6ddb976d6458ad33e2880^! / .
commit8b51674b2d2588c97ee6ddb976d6458ad33e2880[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Wed Jan 08 09:29:30 2014 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Wed Jan 08 09:33:26 2014 -0500
treea123d84e9bab53f103fe878484a68d0d2e11878d
parentfa4002fc7f9d9edabc4f9aee284793eb2226f234 [diff]
Restrict ability to set checkreqprot.

Now that we set /sys/fs/selinux/checkreqprot via init.rc,
restrict the ability to set it to only the kernel domain.

Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/domain.te b/domain.te
index a498980..653a507 100644
--- a/domain.te
+++ b/domain.te

@@ -148,7 +148,7 @@
 # init starts in kernel domain and switches to init domain via setcon in
 # the init.rc, so the setenforce occurs while still in kernel. After
 # switching domains, there is never any need to setenforce again by init.
-neverallow { domain -kernel } kernel:security setenforce;
+neverallow { domain -kernel } kernel:security { setenforce setcheckreqprot };
 
 # Only init, ueventd and system_server should be able to access HW RNG
 neverallow { domain -init -system_server -ueventd -unconfineddomain } hw_random_device:chr_file *;

diff --git a/kernel.te b/kernel.te
index 089786b..4ccce20 100644
--- a/kernel.te
+++ b/kernel.te

@@ -9,3 +9,6 @@
 
 # Initial setenforce by init prior to switching to init domain.
 allow kernel self:security setenforce;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel self:security setcheckreqprot;

diff --git a/unconfined.te b/unconfined.te
index bdebf3a..ef13402 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -17,7 +17,7 @@
 ######################################################
 
 allow unconfineddomain self:capability_class_set *;
-allow unconfineddomain kernel:security ~{ load_policy setenforce };
+allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;