am f094e58f: am 715023eb: Merge "Changed unconfined process policy to a whitelist."

* commit 'f094e58f': Changed unconfined process policy to a whitelist.

am f094e58f: am 715023eb: Merge "Changed unconfined process policy to a whitelist."
969f53a9 · Daniel Cashman · Android Git Automerger · ec87ecb9 · f094e58f · 969f53a9
Commit 969f53a9 authored 11 years ago by Daniel Cashman Committed by Android Git Automerger 11 years ago
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,27 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console };
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition setexec setfscreate setcurrent setkeycreate setsockcreate };
+allow unconfineddomain domain:process {
+    fork
+    sigchld
+    sigkill
+    sigstop
+    signull
+    signal
+    getsched
+    setsched
+    getsession
+    getpgid
+    setpgid
+    getcap
+    setcap
+    share
+    getattr
+    noatsecure
+    siginh
+    setrlimit
+    rlimitinh
+};
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;