5487ca00d4
Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
25 lines
797 B
Plaintext
25 lines
797 B
Plaintext
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
relabelto_domain(init)
|
|
# add a rule to handle unlabelled mounts
|
|
allow init unlabeled:filesystem mount;
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
allow init fs_type:filesystem *;
|
|
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow init kernel:security load_policy;
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
allow init adbd:process transition;
|
|
allow init healthd:process transition;
|
|
allow init recovery:process transition;
|
|
allow init shell:process transition;
|
|
allow init ueventd:process transition;
|
|
allow init watchdogd:process transition;
|