Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / 04ee5dfb80491f8493fedcd099bd4551c9503c83
commit04ee5dfb80491f8493fedcd099bd4551c9503c83[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Thu Jan 30 13:23:08 2014 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Thu Jan 30 14:36:57 2014 -0500
tree93b8c4a356b34db766cd84eaef6b612daad78b73
parent997680a3b78db39cf442f80fd92d4eb93d0f262a [diff]
Remove MAC capabilities from unconfined domains.

Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files.  That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed.  CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
3 files changed
tree: 93b8c4a356b34db766cd84eaef6b612daad78b73
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. attributes
  7. binderservicedomain.te
  8. bluetooth.te
  9. bootanim.te
  10. clatd.te
  11. debuggerd.te
  12. device.te
  13. dhcp.te
  14. dnsmasq.te
  15. domain.te
  16. drmserver.te
  17. dumpstate.te
  18. file.te
  19. file_contexts
  20. fs_use
  21. genfs_contexts
  22. global_macros
  23. gpsd.te
  24. hci_attach.te
  25. healthd.te
  26. hostapd.te
  27. init.te
  28. init_shell.te
  29. initial_sid_contexts
  30. initial_sids
  31. inputflinger.te
  32. installd.te
  33. isolated_app.te
  34. kernel.te
  35. keys.conf
  36. keystore.te
  37. lmkd.te
  38. mac_permissions.xml
  39. media_app.te
  40. mediaserver.te
  41. mls
  42. mls_macros
  43. mtp.te
  44. net.te
  45. netd.te
  46. nfc.te
  47. NOTICE
  48. platform_app.te
  49. policy_capabilities
  50. port_contexts
  51. ppp.te
  52. property.te
  53. property_contexts
  54. qemud.te
  55. racoon.te
  56. radio.te
  57. README
  58. recovery.te
  59. release_app.te
  60. rild.te
  61. roles
  62. runas.te
  63. sdcardd.te
  64. seapp_contexts
  65. security_classes
  66. selinux-network.sh
  67. servicemanager.te
  68. shared_app.te
  69. shell.te
  70. shelldomain.te
  71. su.te
  72. surfaceflinger.te
  73. system_app.te
  74. system_server.te
  75. te_macros
  76. tee.te
  77. ueventd.te
  78. unconfined.te
  79. untrusted_app.te
  80. users
  81. vold.te
  82. watchdogd.te
  83. wpa_supplicant.te
  84. zygote.te