b081cc1e05
Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
23 lines
748 B
Plaintext
23 lines
748 B
Plaintext
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
relabelto_domain(init)
|
|
# add a rule to handle unlabelled mounts
|
|
allow init unlabeled:filesystem mount;
|
|
|
|
allow init fs_type:filesystem *;
|
|
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow init kernel:security load_policy;
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
allow init adbd:process transition;
|
|
allow init healthd:process transition;
|
|
allow init recovery:process transition;
|
|
allow init shell:process transition;
|
|
allow init ueventd:process transition;
|
|
allow init watchdogd:process transition;
|