kernel.te: tighten entrypoint / execute_no_trans neverallow

The kernel domain exists solely on boot, and is used by kernel threads. Because of the way the system starts, there is never an entrypoint for that domain, not even a file on rootfs. So tighten up the neverallow restriction. Remove an obsolete comment. The *.rc files no longer have a setcon statement, and the transition from the kernel domain to init occurs because init re-execs itself. The statement no longer applies. Test: bullhead policy compiles. Change-Id: Ibe75f3d25804453507dbb05c7a07bba1d37a1c7b
2016-10-30 18:42:17 -07:00 · 2016-10-30 18:42:17 -07:00 · 02cfce49ae
commit 02cfce49ae
parent ece327292c
1 changed files with 1 additions and 4 deletions
--- a/public/kernel.te
+++ b/public/kernel.te
@ -87,9 +87,6 @@ neverallow * kernel:process { transition dyntransition };
 # possible causes include:
 # - The program is a kernel usermodehelper.  In this case, define a domain
 #   for the program and domain_auto_trans() to it.
-# - You failed to setcon u:r:init:s0 in your init.rc and thus your init
-#   program was left in the kernel domain and is now trying to execute
-#   some other program.  Fix your init.rc file.
 # - You are running an exploit which switched to the init task credentials
 #   and is then trying to exec a shell or other program.  You lose!
-neverallow kernel { file_type fs_type -rootfs }:file { entrypoint execute_no_trans };
+neverallow kernel *:file { entrypoint execute_no_trans };