Something went wrong on our end
-
Stephen Smalley authoredexecute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredexecute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>