commit bac4ccce8f1b06ec9c25b98e6690714ba8ad7baf
author Stephen Smalley <sds@tycho.nsa.gov> Wed Jun 18 10:09:35 2014 -0400
committer Nick Kralevich <nnk@google.com> Wed Jun 18 15:36:38 2014 +0000
tree d51307ec3a1424e4b420027c08bfb4e5dd4f0b3f
parent 718bf84b85f0b834552e0a0f694d39d821f2a93d

Prevent adding transitions to kernel or init domains.

Add neverallow rules to prohibit adding any transitions into
the kernel or init domains.  Rewrite the domain self:process
rule to use a positive permission list and omit the transition
and dyntransition permissions from this list as well as other
permissions only checked when changing contexts.  This should be
a no-op since these permissions are only checked when
changing contexts but avoids needing to exclude kernel or init
from the neverallow rules.

Change-Id: Id114b1085cec4b51684c7bd86bd2eaad8df3d6f8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

domain.te

diff --git a/domain.te b/domain.te
index 86c683f..466e48a 100644
--- a/domain.te
+++ b/domain.te
@@ -11,7 +11,23 @@
 allow domain tmpfs:dir r_dir_perms;
 
 # Intra-domain accesses.
-allow domain self:process ~{ execmem execstack execheap ptrace setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow domain self:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    getattr
+    setrlimit
+};
 allow domain self:fd use;
 allow domain self:dir r_dir_perms;
 allow domain self:lnk_file r_file_perms;

init.te

diff --git a/init.te b/init.te
index e4d1f88..3f4d706 100644
--- a/init.te
+++ b/init.te
@@ -76,3 +76,13 @@
 # Create /data/property and files within it.
 allow init property_data_file:dir create_dir_perms;
 allow init property_data_file:file create_file_perms;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via setcon from the kernel domain,
+# never via an exec-based transition.
+neverallow { domain -kernel} init:process dyntransition;
+neverallow domain init:process transition;
+neverallow init { file_type fs_type }:file entrypoint;

kernel.te

diff --git a/kernel.te b/kernel.te
index 0de0ab8..08ccbf5 100644
--- a/kernel.te
+++ b/kernel.te
@@ -30,3 +30,11 @@
 
 # Set checkreqprot by init.rc prior to switching to init domain.
 allow kernel self:security setcheckreqprot;
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow domain kernel:process { transition dyntransition };