From acb4871ff320f0e3c0745cc25fbc5cf78421960d Mon Sep 17 00:00:00 2001
From: Peter Enderborg <peter.enderborg@sony.com>
Date: Wed, 30 Aug 2017 10:17:49 +0200
Subject: [PATCH] Only allow init to start vold

Hardening vold. Vold has much rights to system sensitive parts and
are started by init. Enforce this security.

Bug: 64791922
Test: Manual
Change-Id: I077d251d1eb7b7292e1a4a785093cb7bf5524a83
---
 public/vold.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/vold.te b/public/vold.te
index bb2b3d789..99f0bb384 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -189,3 +189,4 @@ neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
 neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
-- 
GitLab