Set SELinux security contexts correctly for init and services.
Otherwise everything is left running in the kernel domain when booting recovery. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
617d1cadc6
commit
2c9d5b2839
1 changed files with 11 additions and 0 deletions
11
etc/init.rc
11
etc/init.rc
|
|
@ -1,6 +1,13 @@
|
|||
import /init.recovery.${ro.hardware}.rc
|
||||
|
||||
on early-init
|
||||
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
|
||||
write /sys/fs/selinux/checkreqprot 0
|
||||
|
||||
# Set the security context for the init process.
|
||||
# This should occur before anything else (e.g. ueventd) is started.
|
||||
setcon u:r:init:s0
|
||||
|
||||
start ueventd
|
||||
start healthd
|
||||
|
||||
|
|
@ -43,15 +50,19 @@ on property:sys.powerctl=*
|
|||
|
||||
service ueventd /sbin/ueventd
|
||||
critical
|
||||
seclabel u:r:ueventd:s0
|
||||
|
||||
service healthd /sbin/healthd -n
|
||||
critical
|
||||
seclabel u:r:healthd:s0
|
||||
|
||||
service recovery /sbin/recovery
|
||||
seclabel u:r:recovery:s0
|
||||
|
||||
service adbd /sbin/adbd recovery
|
||||
disabled
|
||||
socket adbd stream 660 system system
|
||||
seclabel u:r:adbd:s0
|
||||
|
||||
# Always start adbd on userdebug and eng builds
|
||||
on property:ro.debuggable=1
|
||||
|
|
|
|||
Loading…
Reference in a new issue