Skip to content
Snippets Groups Projects
Commit bef30f8c authored by Nick Kralevich's avatar Nick Kralevich Committed by Android Git Automerger
Browse files

am 6d0e9c8f: init.te: delete kernel load policy support 

* commit '6d0e9c8f':
  init.te: delete kernel load policy support
parents e9ac2d6d 6d0e9c8f
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 3 deletions
domain.te
+ 2
3
View file @ bef30f8c
...@@ -209,11 +209,10 @@ neverallow domain self:capability2 mac_override; ...@@ -209,11 +209,10 @@ neverallow domain self:capability2 mac_override;
# Only recovery needs mac_admin to set contexts not defined in current policy. # Only recovery needs mac_admin to set contexts not defined in current policy.
neverallow { domain -recovery } self:capability2 mac_admin; neverallow { domain -recovery } self:capability2 mac_admin;
# Only init should be able to load SELinux policies. # Nobody should be able to load a new SELinux policy.
# The first load technically occurs while still in the kernel domain, # The first load technically occurs while still in the kernel domain,
# but this does not trigger a denial since there is no policy yet. # but this does not trigger a denial since there is no policy yet.
# Policy reload requires allowing this to the init domain. neverallow domain kernel:security load_policy;
neverallow { domain -init } kernel:security load_policy;
# Only init and the system_server can set selinux.reload_policy 1 # Only init and the system_server can set selinux.reload_policy 1
# to trigger a policy reload. # to trigger a policy reload.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment