commit ee80bfb9cf5727ce9938f76d88ac50833edee48c
author Stephen Smalley <sds@tycho.nsa.gov> Fri Jan 11 14:01:35 2013 -0500
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 19 22:30:03 2013 +0000
tree ee8616442448698505f43ec0fae1924d4a1954ae
parent c0890c899f572785b6a14a91bae6122b72db4416

Add policy assertions (neverallow rules).

Change-Id: I384ea9516a5ed2369f7fa703499e284e29a2c0eb
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

assert.te

diff --git a/assert.te b/assert.te
new file mode 100644
index 0000000..1f12c5e
--- /dev/null
+++ b/assert.te
@@ -0,0 +1,51 @@
+# Policy assertions.
+# These neverallow rules are checked by checkpolicy at policy build time.
+# checkpolicy will refuse to generate the kernel policy if any of these
+# assertions fail.
+
+# Superuser capabilities.
+# Only exception is sys_nice for binder, might not be necessary.
+neverallow appdomain self:capability ~sys_nice;
+neverallow appdomain self:capability2 *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Kernel memory access.
+neverallow appdomain kmem_device:chr_file { read write };
+
+# Setting SELinux enforcing status or booleans.
+# Conditionally allowed to system_app for SEAndroidManager.
+neverallow { appdomain -system_app } kernel:security { setenforce setbool };
+
+# Load security policy.
+neverallow appdomain kernel:security load_policy;
+
+# Privileged netlink socket interfaces.
+neverallow appdomain self:{ netlink_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket } *;
+
+# Access to /proc/pid entries for any non-app domain.
+# Violated by cts.te rules so commented out for now.
+#neverallow appdomain { domain - appdomain }:dir search;
+#neverallow appdomain { domain - appdomain }:lnk_file read;
+#neverallow appdomain { domain - appdomain }:file { read write };
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# Transition to a non-app domain.
+# Shell excluded since it has a transition to runas.
+neverallow { appdomain -shell } ~appdomain:process { transition dyntransition };
+
+# Map low memory.
+neverallow appdomain self:memprotect mmap_zero;
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set write;
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts.  Define a different type for portions
+# that should be writable by apps.
+# Exception for system_app for Settings.
+neverallow { appdomain -system_app } system_data_file:dir_file_class_set write;