Remove MAC capabilities from unconfined domains.
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files. That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.
CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed. CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.
Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.
Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/recovery.te b/recovery.te
index eb2a2b0..abcf0cf 100644
--- a/recovery.te
+++ b/recovery.te
@@ -4,6 +4,8 @@
unconfined_domain(recovery)
relabelto_domain(recovery)
+allow recovery self:capability2 mac_admin;
+
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
allow recovery unlabeled:filesystem mount;