From 02cfce49ae94b804cc2b95012be129ea137a26bb Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 30 Oct 2016 18:42:17 -0700
Subject: [PATCH] kernel.te: tighten entrypoint / execute_no_trans neverallow

The kernel domain exists solely on boot, and is used by kernel threads.
Because of the way the system starts, there is never an entrypoint for
that domain, not even a file on rootfs. So tighten up the neverallow
restriction.

Remove an obsolete comment. The *.rc files no longer have a setcon
statement, and the transition from the kernel domain to init occurs
because init re-execs itself. The statement no longer applies.

Test: bullhead policy compiles.
Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
---
 public/kernel.te | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/public/kernel.te b/public/kernel.te
index 556904c1f..c404fc077 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -87,9 +87,6 @@ neverallow * kernel:process { transition dyntransition };
 # possible causes include:
 # - The program is a kernel usermodehelper.  In this case, define a domain
 #   for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-#   program was left in the kernel domain and is now trying to execute
-#   some other program.  Fix your init.rc file.
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
+neverallow kernel *:file { entrypoint execute_no_trans };
-- 
GitLab