commit f2c4e1283e91f7a91963d1d68a27f515027d97b4
author Nick Kralevich <nnk@google.com> Tue Jul 14 11:46:30 2015 -0700
committer Nick Kralevich <nnk@google.com> Tue Jul 14 13:06:12 2015 -0700
tree c4a671005e277bc734ca3a9f27d857705590954b
parent 10a3a36a6e9009664ecdb9a9d98100a897912469

neverallow service_manager / service_manager_type

Init never uses / add service manager services. It doesn't make
sense to allow these rules to init. Adding a rule of this type
is typically caused by a process inappropriately running in init's
SELinux domain, and the warning message:

  Warning!  Service %s needs a SELinux domain defined; please fix!

is ignored.

In addition, add neverallow rules to domain.te which prevent
nonsense SELinux service_manager rules from being added.

Change-Id: Id04a50d1826fe451a9ed216aa7ab249d0393cc57

domain.te

diff --git a/domain.te b/domain.te
index eb22ec7..23dabf5 100644
--- a/domain.te
+++ b/domain.te
@@ -494,3 +494,9 @@
   -installd
   -surfaceflinger # TODO: see if we can remove from mako sepolicy
 } shell_data_file:lnk_file read;
+
+# servicemanager is the only process which handles list request
+neverallow domain ~servicemanager:service_manager list;
+
+# only service_manager_types can be added to service_manager
+neverallow domain ~service_manager_type:service_manager { add find };

init.te

diff --git a/init.te b/init.te
index 34b010c..9fdfd22 100644
--- a/init.te
+++ b/init.te
@@ -282,3 +282,7 @@
 
 # init should never execute a program without changing to another domain.
 neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;