From 52dcc94deb81bc6fad7e0a744e0f5314ba3d1d2d Mon Sep 17 00:00:00 2001
From: Riley Spahn <rileyspahn@google.com>
Date: Fri, 30 May 2014 17:07:36 -0700
Subject: [PATCH] Changed unconfined process policy to a whitelist.

Rewrote the process policy in external/sepolicy/unconfined.te
from a blacklist to a whitelist to be more easily understood.
There were previously 11 disallowed permissions and now there are
19 allowed permissions.

Change-Id: Ida4dc881c5fedc56980324774f40e09a9b8a830a
---
 unconfined.te | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/unconfined.te b/unconfined.te
index 7c7fa4d99..123d16f95 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,27 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow unconfineddomain domain:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    share
+    getattr
+    noatsecure
+    siginh
+    setrlimit
+    rlimitinh
+};
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
-- 
GitLab