Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
A
AndroidSystemSEPolicy
Manage
Activity
Members
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Deploy
Releases
Container Registry
Model registry
Analyze
Contributor analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
Werner Sembach
AndroidSystemSEPolicy
Commits
6d97d9b8
Commit
6d97d9b8
authored
9 years ago
by
Nick Kralevich
Committed by
Gerrit Code Review
9 years ago
Browse files
Options
Downloads
Plain Diff
Merge "Revert "SELinux policy changes for re-execing init.""
parents
ecd57731
c450759e
No related branches found
No related tags found
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
domain.te
+1
-2
1 addition, 2 deletions
domain.te
file_contexts
+1
-1
1 addition, 1 deletion
file_contexts
init.te
+6
-23
6 additions, 23 deletions
init.te
kernel.te
+21
-7
21 additions, 7 deletions
kernel.te
with
29 additions
and
33 deletions
domain.te
+
1
−
2
View file @
6d97d9b8
...
@@ -299,8 +299,7 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
...
@@ -299,8 +299,7 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
# Only recovery should be doing writes to /system
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom append unlink link rename };
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
# Don't allow mounting on top of /system files or directories
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
...
...
This diff is collapsed.
Click to expand it.
file_contexts
+
1
−
1
View file @
6d97d9b8
...
@@ -12,7 +12,7 @@
...
@@ -12,7 +12,7 @@
# Executables
# Executables
/charger u:object_r:rootfs:s0
/charger u:object_r:rootfs:s0
/init u:object_r:
init_exec
:s0
/init u:object_r:
rootfs
:s0
/sbin(/.*)? u:object_r:rootfs:s0
/sbin(/.*)? u:object_r:rootfs:s0
# Empty directories
# Empty directories
...
...
This diff is collapsed.
Click to expand it.
init.te
+
6
−
23
View file @
6d97d9b8
# init
is its own domain
.
# init
switches to init domain (via init.rc)
.
type init, domain, mlstrustedsubject;
type init, domain, mlstrustedsubject;
tmpfs_domain(init)
tmpfs_domain(init)
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file create_file_perms;
#
# init direct restorecon calls.
#
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/__properties__
allow init tmpfs:file relabelfrom;
allow init properties_device:file relabelto;
# setrlimit
# setrlimit
allow init self:capability sys_resource;
allow init self:capability sys_resource;
...
@@ -45,8 +30,6 @@ allow init self:capability sys_admin;
...
@@ -45,8 +30,6 @@ allow init self:capability sys_admin;
allow init rootfs:dir create_dir_perms;
allow init rootfs:dir create_dir_perms;
allow init rootfs:dir mounton;
allow init rootfs:dir mounton;
allow init proc:dir mounton;
# Mount on /dev/usb-ffs/adb.
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
allow init device:dir mounton;
...
@@ -161,8 +144,8 @@ recovery_only(`
...
@@ -161,8 +144,8 @@ recovery_only(`
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, recovery)
')
')
domain_trans(init, shell_exec, shell)
domain_trans(init, shell_exec, shell)
domain_trans(init,
init_exec
, ueventd)
domain_trans(init,
rootfs
, ueventd)
domain_trans(init,
init_exec
, watchdogd)
domain_trans(init,
rootfs
, watchdogd)
# Support "adb shell stop"
# Support "adb shell stop"
allow init self:capability kill;
allow init self:capability kill;
...
@@ -274,9 +257,9 @@ unix_socket_connect(init, vold, vold)
...
@@ -274,9 +257,9 @@ unix_socket_connect(init, vold, vold)
# The init domain is only entered via setcon from the kernel domain,
# The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition.
# never via an exec-based transition.
neverallow domain init:process dyntransition;
neverallow
{
domain
-kernel}
init:process dyntransition;
neverallow
{
domain
-kernel}
init:process transition;
neverallow domain init:process transition;
neverallow init { file_type fs_type
-init_exec
}:file entrypoint;
neverallow init { file_type fs_type }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
neverallow init shell_data_file:lnk_file read;
...
...
This diff is collapsed.
Click to expand it.
kernel.te
+
21
−
7
View file @
6d97d9b8
...
@@ -3,11 +3,15 @@ type kernel, domain, mlstrustedsubject;
...
@@ -3,11 +3,15 @@ type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice;
allow kernel self:capability sys_nice;
# Allow init relabel itself.
# Run /init before we have switched domains.
allow kernel rootfs:file relabelfrom;
allow kernel rootfs:file execute_no_trans;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this.
# /dev/__null__ node created by init prior to policy load.
allow kernel init:process share;
allow kernel tmpfs:chr_file rw_file_perms;
# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;
# cgroup filesystem initialization prior to setting the cgroup root directory label.
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
allow kernel unlabeled:dir search;
...
@@ -16,6 +20,18 @@ allow kernel unlabeled:dir search;
...
@@ -16,6 +20,18 @@ allow kernel unlabeled:dir search;
allow kernel usbfs:filesystem mount;
allow kernel usbfs:filesystem mount;
allow kernel usbfs:dir search;
allow kernel usbfs:dir search;
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel tmpfs:dir relabelfrom;
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
allow kernel tmpfs:file relabelfrom;
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
allow kernel sysfs_type:dir r_dir_perms;
# Initial setenforce by init prior to switching to init domain.
# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
# process from turning off SELinux once enabled.
...
@@ -42,8 +58,6 @@ allow kernel vold:fd use;
...
@@ -42,8 +58,6 @@ allow kernel vold:fd use;
allow kernel app_data_file:file read;
allow kernel app_data_file:file read;
allow kernel asec_image_file:file read;
allow kernel asec_image_file:file read;
domain_auto_trans(kernel, init_exec, init)
###
###
### neverallow rules
### neverallow rules
###
###
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment