am e244f2d3: Allow init to mount filesystems on properly labeled folders

* commit 'e244f2d3': Allow init to mount filesystems on properly labeled folders

am e244f2d3: Allow init to mount filesystems on properly labeled folders
97199122 · Daniel Rosenberg · Android Git Automerger · 14ac6bc3 · e244f2d3 · 97199122
Commit 97199122 authored 9 years ago by Daniel Rosenberg Committed by Android Git Automerger 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -327,7 +327,8 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
 # Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;
 # Nothing should be writing to files in the rootfs.
 neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };

--- a/init.te
+++ b/init.te
@@ -43,7 +43,7 @@ allow init self:capability sys_admin;
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;