From 2c9d5b2839307987812db8a939d88272b865bacc Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Mon, 13 Jan 2014 09:44:42 -0500 Subject: [PATCH] Set SELinux security contexts correctly for init and services. Otherwise everything is left running in the kernel domain when booting recovery. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley --- etc/init.rc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/etc/init.rc b/etc/init.rc index 17548906..5f9ce80a 100644 --- a/etc/init.rc +++ b/etc/init.rc @@ -1,6 +1,13 @@ import /init.recovery.${ro.hardware}.rc on early-init + # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. + write /sys/fs/selinux/checkreqprot 0 + + # Set the security context for the init process. + # This should occur before anything else (e.g. ueventd) is started. + setcon u:r:init:s0 + start ueventd start healthd @@ -43,15 +50,19 @@ on property:sys.powerctl=* service ueventd /sbin/ueventd critical + seclabel u:r:ueventd:s0 service healthd /sbin/healthd -n critical + seclabel u:r:healthd:s0 service recovery /sbin/recovery + seclabel u:r:recovery:s0 service adbd /sbin/adbd recovery disabled socket adbd stream 660 system system + seclabel u:r:adbd:s0 # Always start adbd on userdebug and eng builds on property:ro.debuggable=1