selinux-policy: adjust kernel permissions for NFS

packages/selinux-policy/mcs.cil

@@ -86,9 +86,11 @@
 ; Restrict process transitions unless one of these conditions is met:
 ; * the new label exactly matches the old label
 ; * the source context is for a trusted subject
+; * the target context is not forbidden
 
 (mlsconstrain (processes (transform))
-  (or (eq t1 trusted_s)
+  (or (and (eq t1 trusted_s)
+           (neq t2 forbidden_t))
       (and (and (and (and
            (eq u1 u2)
            (eq r1 r2))

packages/selinux-policy/rules.cil

@@ -166,10 +166,28 @@
 ; Subjects that must run verified code can execute immutable objects, since
 ; those are all protected by dm-verity.
 (allow verified_s immutable_o (files (execute)))
+(allow kernel_t immutable_o (files (execute)))
 
 ; Subjects that must run verified code cannot execute mutable objects.
 (neverallow verified_s mutable_o (files (execute)))
 
+; Ideally the kernel would also be denied permission to execute mutable
+; objects. However, this breaks certain scenarios such as serving files
+; over NFS, where the kernel's permissions are checked.
+(allow kernel_t mutable_o (file (execute)))
+
+; Prevent the kernel from executing mutable objects by blocking execution
+; unless there's a defined transition.
+(neverallow kernel_t mutable_o (file (execute_no_trans)))
+
+; Backstop against kernel execution of mutable objects by defining a type
+; transition, which is then explicitly disallowed.
+(typetransition kernel_t mutable_o process forbidden_t)
+(neverallow kernel_t forbidden_t (processes (transform)))
+
+; Block the use of any object as an entry point to the forbidden type.
+(neverallow forbidden_t all_o (files (enter)))
+
 ; All subjects are allowed to write to objects with their own label.
 ; This includes files like the ones under /proc/self.
 (allow all_s self (files (mutate)))

packages/selinux-policy/subject.cil

@@ -68,12 +68,18 @@
 (roletype system_r super_t)
 (context admin (system_u system_r super_t s0))
 
+; Processes that should never exist.
+(type forbidden_t)
+(roletype system_r forbidden_t)
+(context forbidden (system_u system_r forbidden_t s0))
+
 ; The set of all subjects.
 (typeattribute all_s)
 (typeattributeset all_s (
   kernel_t init_t system_t mount_t api_t
   network_t clock_t bus_t runtime_t
-  container_t control_t super_t))
+  container_t control_t super_t
+  forbidden_t))
 
 ; Subjects that are treated as a privileged part of the OS.
 (typeattribute privileged_s)
@@ -121,7 +127,8 @@
 
 ; Subjects shipped with the OS that should only execute verified code.
 (typeattribute verified_s)
-(typeattributeset verified_s (xor (host_s) (runtime_t mount_t api_t init_t)))
+(typeattributeset verified_s (xor (host_s) (
+  runtime_t mount_t api_t init_t kernel_t)))
 
 ; Subjects that are allowed to manage the system clock.
 (typeattribute clock_s)