Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ddf98fa8cf11000f91329945abc23ee791adfe69^! / .
commitddf98fa8cf11000f91329945abc23ee791adfe69[log] [tgz]
authorGeremy Condra <gcondra@google.com>Thu Oct 31 11:17:23 2013 -0700
committerNick Kralevich <nnk@google.com>Thu Nov 07 16:17:32 2013 -0800
treeecd42d0e6822c2701d0bc364be3ca479860a875b
parent0ea4ac8a12efa2f847625917f35b5cbedec3853a [diff]
Neverallow access to the kmem device from userspace.

Change-Id: If26baa947ff462f5bb09b75918a4130097de5ef4

diff --git a/app.te b/app.te
index 8e220ff..6e95ffb 100644
--- a/app.te
+++ b/app.te

@@ -137,9 +137,6 @@
 # Block device access.
 neverallow { appdomain -unconfineddomain } dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow { appdomain -unconfineddomain } kmem_device:chr_file { read write };
-
 # Access to any character device that is not specifically typed.
 neverallow { appdomain -unconfineddomain } device:chr_file { read write };
 

diff --git a/domain.te b/domain.te
index 4d41195..55a7b81 100644
--- a/domain.te
+++ b/domain.te

@@ -139,3 +139,7 @@
 
 # Ensure that all entrypoint executables are in exec_type.
 neverallow domain { file_type -exec_type }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow { domain -kernel -ueventd -init } kmem_device:chr_file *;
+neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };

diff --git a/netd.te b/netd.te
index d8d65c9..d60e377 100644
--- a/netd.te
+++ b/netd.te

@@ -64,9 +64,6 @@
 # Block device access.
 neverallow netd dev_type:blk_file { read write };
 
-# Kernel memory access.
-neverallow netd kmem_device:chr_file { read write };
-
 # Setting SELinux enforcing status or booleans.
 neverallow netd kernel:security { setenforce setbool };
 

diff --git a/unconfined.te b/unconfined.te
index 80f88b7..35db54f 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -30,7 +30,7 @@
 allow unconfineddomain domain:key *;
 allow unconfineddomain fs_type:filesystem *;
 allow unconfineddomain {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } ~relabelto;
-allow unconfineddomain {fs_type dev_type file_type}:{ chr_file file } ~{entrypoint relabelto};
+allow unconfineddomain {fs_type dev_type file_type -kmem_device}:{ chr_file file } ~{entrypoint relabelto};
 allow unconfineddomain node_type:node *;
 allow unconfineddomain node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
 allow unconfineddomain netif_type:netif *;