5487ca00d4
Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
24 lines
779 B
Plaintext
24 lines
779 B
Plaintext
# Life begins with the kernel.
|
|
type kernel, domain;
|
|
|
|
allow kernel init:process dyntransition;
|
|
|
|
# The kernel is unconfined.
|
|
unconfined_domain(kernel)
|
|
relabelto_domain(kernel)
|
|
|
|
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow kernel unlabeled:filesystem mount;
|
|
allow kernel fs_type:filesystem *;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
allow kernel self:security setenforce;
|
|
|
|
# Set checkreqprot by init.rc prior to switching to init domain.
|
|
allow kernel self:security setcheckreqprot;
|
|
|
|
# For operations performed by kernel or init prior to switching to init domain.
|
|
## TODO: Investigate whether it is safe to remove these
|
|
allow kernel self:capability { sys_rawio mknod };
|
|
auditallow kernel self:capability { sys_rawio mknod };
|