am e5db229e: am 8d9ef067: Merge "Remove MAC capabilities from unconfined domains."

* commit 'e5db229e': Remove MAC capabilities from unconfined domains.

am e5db229e: am 8d9ef067: Merge "Remove MAC capabilities from unconfined domains."
5dfb67d1 · Nick Kralevich · Android Git Automerger · eec70252 · e5db229e · 5dfb67d1
Commit 5dfb67d1 authored 11 years ago by Nick Kralevich Committed by Android Git Automerger 11 years ago
--- a/domain.te
+++ b/domain.te
@@ -147,6 +147,9 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;
 ### neverallow rules
 ###
+neverallow domain self:capability2 mac_override;
+neverallow { domain -recovery } self:capability2 mac_admin;
 # Only init should be able to load SELinux policies.
 # The first load technically occurs while still in the kernel domain,
 # but this does not trigger a denial since there is no policy yet.

--- a/recovery.te
+++ b/recovery.te
@@ -4,6 +4,8 @@ allow recovery rootfs:file entrypoint;
 unconfined_domain(recovery)
 relabelto_domain(recovery)
+allow recovery self:capability2 mac_admin;
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;

--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,8 @@
 # The use of this template is discouraged.
 ######################################################
-allow unconfineddomain self:capability_class_set *;
+allow unconfineddomain self:capability *;
+allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };