Skip to content
Snippets Groups Projects
Commit 6d97d9b8 authored by Nick Kralevich's avatar Nick Kralevich Committed by Gerrit Code Review
Browse files

Merge "Revert "SELinux policy changes for re-execing init.""

parents ecd57731 c450759e
No related branches found
No related tags found
No related merge requests found
...@@ -299,8 +299,7 @@ neverallow { domain -init } property_data_file:file no_w_file_perms; ...@@ -299,8 +299,7 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
# Only recovery should be doing writes to /system # Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom append unlink link rename }; { create write setattr relabelfrom relabelto append unlink link rename };
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories # Don't allow mounting on top of /system files or directories
neverallow domain { system_file exec_type }:dir_file_class_set mounton; neverallow domain { system_file exec_type }:dir_file_class_set mounton;
......
...@@ -12,7 +12,7 @@ ...@@ -12,7 +12,7 @@
# Executables # Executables
/charger u:object_r:rootfs:s0 /charger u:object_r:rootfs:s0
/init u:object_r:init_exec:s0 /init u:object_r:rootfs:s0
/sbin(/.*)? u:object_r:rootfs:s0 /sbin(/.*)? u:object_r:rootfs:s0
# Empty directories # Empty directories
......
# init is its own domain. # init switches to init domain (via init.rc).
type init, domain, mlstrustedsubject; type init, domain, mlstrustedsubject;
tmpfs_domain(init) tmpfs_domain(init)
# The init domain is entered by execing init.
type init_exec, exec_type, file_type;
# /dev/__null__ node created by init.
allow init tmpfs:chr_file create_file_perms;
#
# init direct restorecon calls.
#
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/__properties__
allow init tmpfs:file relabelfrom;
allow init properties_device:file relabelto;
# setrlimit # setrlimit
allow init self:capability sys_resource; allow init self:capability sys_resource;
...@@ -45,8 +30,6 @@ allow init self:capability sys_admin; ...@@ -45,8 +30,6 @@ allow init self:capability sys_admin;
allow init rootfs:dir create_dir_perms; allow init rootfs:dir create_dir_perms;
allow init rootfs:dir mounton; allow init rootfs:dir mounton;
allow init proc:dir mounton;
# Mount on /dev/usb-ffs/adb. # Mount on /dev/usb-ffs/adb.
allow init device:dir mounton; allow init device:dir mounton;
...@@ -161,8 +144,8 @@ recovery_only(` ...@@ -161,8 +144,8 @@ recovery_only(`
domain_trans(init, rootfs, recovery) domain_trans(init, rootfs, recovery)
') ')
domain_trans(init, shell_exec, shell) domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd) domain_trans(init, rootfs, ueventd)
domain_trans(init, init_exec, watchdogd) domain_trans(init, rootfs, watchdogd)
# Support "adb shell stop" # Support "adb shell stop"
allow init self:capability kill; allow init self:capability kill;
...@@ -274,9 +257,9 @@ unix_socket_connect(init, vold, vold) ...@@ -274,9 +257,9 @@ unix_socket_connect(init, vold, vold)
# The init domain is only entered via setcon from the kernel domain, # The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition. # never via an exec-based transition.
neverallow domain init:process dyntransition; neverallow { domain -kernel} init:process dyntransition;
neverallow { domain -kernel} init:process transition; neverallow domain init:process transition;
neverallow init { file_type fs_type -init_exec }:file entrypoint; neverallow init { file_type fs_type }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps. # Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read; neverallow init shell_data_file:lnk_file read;
......
...@@ -3,11 +3,15 @@ type kernel, domain, mlstrustedsubject; ...@@ -3,11 +3,15 @@ type kernel, domain, mlstrustedsubject;
allow kernel self:capability sys_nice; allow kernel self:capability sys_nice;
# Allow init relabel itself. # Run /init before we have switched domains.
allow kernel rootfs:file relabelfrom; allow kernel rootfs:file execute_no_trans;
allow kernel init_exec:file relabelto;
# TODO: investigate why we need this. # /dev/__null__ node created by init prior to policy load.
allow kernel init:process share; allow kernel tmpfs:chr_file rw_file_perms;
# setcon to init domain.
allow kernel self:process setcurrent;
allow kernel init:process dyntransition;
# cgroup filesystem initialization prior to setting the cgroup root directory label. # cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search; allow kernel unlabeled:dir search;
...@@ -16,6 +20,18 @@ allow kernel unlabeled:dir search; ...@@ -16,6 +20,18 @@ allow kernel unlabeled:dir search;
allow kernel usbfs:filesystem mount; allow kernel usbfs:filesystem mount;
allow kernel usbfs:dir search; allow kernel usbfs:dir search;
# init direct restorecon calls prior to switching to init domain
# /dev and /dev/socket
allow kernel tmpfs:dir relabelfrom;
allow kernel { device socket_device }:dir relabelto;
# /dev/__properties__
allow kernel tmpfs:file relabelfrom;
allow kernel properties_device:file relabelto;
# /sys
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
allow kernel sysfs_type:dir r_dir_perms;
# Initial setenforce by init prior to switching to init domain. # Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace # We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled. # process from turning off SELinux once enabled.
...@@ -42,8 +58,6 @@ allow kernel vold:fd use; ...@@ -42,8 +58,6 @@ allow kernel vold:fd use;
allow kernel app_data_file:file read; allow kernel app_data_file:file read;
allow kernel asec_image_file:file read; allow kernel asec_image_file:file read;
domain_auto_trans(kernel, init_exec, init)
### ###
### neverallow rules ### neverallow rules
### ###
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment