From 50897feb6113c165d5d6ab72f3600976fd019db0 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 11 Jun 2015 20:47:59 -0700
Subject: [PATCH] sdcardd: ensure that init never executes sdcard daemon

Only vold should execute the sdcard daemon. Remove old code which
allows this, and add a neverallow rule to ensure that nobody tries
running with this old configuration.

Change-Id: I6d0133e65948ae69e3c48f7b5f21fc7956fe8168
---
 sdcardd.te | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sdcardd.te b/sdcardd.te
index cd2bc6411..a6648200e 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,8 +1,6 @@
 type sdcardd, domain;
 type sdcardd_exec, exec_type, file_type;
 
-init_daemon_domain(sdcardd) # TODO: deprecated in M
-
 allow sdcardd cgroup:dir create_dir_perms;
 allow sdcardd fuse_device:chr_file rw_file_perms;
 allow sdcardd rootfs:dir mounton;  # TODO: deprecated in M
@@ -31,3 +29,11 @@ allow sdcardd vold:fifo_file { read write getattr };
 
 # Allow running on top of expanded storage
 allow sdcardd mnt_expand_file:dir search;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
-- 
GitLab