neverallow: domain:file execute and entrypoint
Occasionally, files get labeled with the domain type rather
than the executable file type. This can work if the author
uses domain_auto_trans() versus init_daemon_domain(). This
will cause a lot of issues and is typically not what the
author intended.
Another case where exec on domain type might occur, is if
someone attempts to execute a /proc/pid file, this also
does not make sense.
To prevent this, we add a neverallow.
Change-Id: I39aff58c8f5a2f17bafcd2be33ed387199963b5f
Signed-off-by: William Roberts <william.c.roberts@intel.com>
diff --git a/domain.te b/domain.te
index 7324738..a317050 100644
--- a/domain.te
+++ b/domain.te
@@ -537,3 +537,16 @@
# Prevent assigning non property types to properties
neverallow domain ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow domain domain:file { execute execute_no_trans entrypoint };