platform_system_sepolicy/kernel.te

# Life begins with the kernel.
type kernel, domain;

allow kernel init:process dyntransition;

# The kernel is unconfined.
unconfined_domain(kernel)
relabelto_domain(kernel)

allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow kernel unlabeled:filesystem mount;

# Initial setenforce by init prior to switching to init domain.
allow kernel self:security setenforce;

# Set checkreqprot by init.rc prior to switching to init domain.
allow kernel self:security setcheckreqprot;
SE Android policy. 2012-01-04 18:33:27 +01:00			`# Life begins with the kernel.`
			`type kernel, domain;`
Remove transition / dyntransition from unconfined Require all domain transitions or dyntransitions to be explicitly specified in SELinux policy. healthd: Remove healthd_exec / init_daemon_domain(). Healthd lives on the rootfs and has no unique file type. It should be treated consistent with other similar domains. Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29 2014-01-25 05:43:07 +01:00
			`allow kernel init:process dyntransition;`

SE Android policy. 2012-01-04 18:33:27 +01:00			`# The kernel is unconfined.`
			`unconfined_domain(kernel)`
domain.te: Add backwards compatibility for unlabeled files For unlabeled files, revert to DAC rules. This is for backwards compatibility, as files created before SELinux was in place may not be properly labeled. Over time, the number of unlabeled files will decrease, and we can (hopefully) remove this rule in the future. To prevent inadvertantly introducing the "relabelto" permission, add a neverallow domain, and add apps which have a legitimate need to relabel to this domain. Bug: 9777552 Change-Id: I71b0ff8abd4925432062007c45b5be85f6f70a88 2013-07-10 23:46:05 +02:00			`relabelto_domain(kernel)`

			`allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;`
Fix more long-tail denials. For additional context- The denials related to init_tmpfs are of the form: denied { read } for pid=12315 comm=""dboxed_process0"" path=2F6465762F6173686D656D2F64616C76696B2D68656170202864656C6574656429 dev=""tmpfs"" ino=9464 scontext=u:r:isolated_app:s0 tcontext=u:object_r:init_tmpfs:s0 tclass=file (the path above is "/dev/ashmem/dalvik-heap (deleted)") The denials related to executing things from the dalvik cache are of the form: enied { execute } for pid=3565 comm=""dboxed_process0"" path=""/data/dalvik-cache/system@app@Chrome.apk@classes.dex"" dev=""mmcblk0p28"" ino=105983 scontext=u:r:isolated_app:s0 tcontext=u:object_r:dalvikcache_data_file:s0 tclass=file The denials related to isolated_app and the init socket are: denied { getattr } for pid=3824 comm=""Binder_2"" path=""socket:[14059]"" dev=""sockfs"" ino=14059 scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket The getopt denials for the aforementioned socket are: denied { getopt } for pid=3824 comm=""Binder_2"" path=""/dev/socket/dumpstate"" scontext=u:r:isolated_app:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket Change-Id: I3c57702e2af5a779a7618da9aa40930e7f12ee49 2013-09-06 00:36:30 +02:00			`allow kernel unlabeled:filesystem mount;`
Allow kernel domain, not init domain, to set SELinux enforcing mode. As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-06 14:05:53 +01:00
			`# Initial setenforce by init prior to switching to init domain.`
			`allow kernel self:security setenforce;`
Restrict ability to set checkreqprot. Now that we set /sys/fs/selinux/checkreqprot via init.rc, restrict the ability to set it to only the kernel domain. Change-Id: I975061fd0e69c158db9bdb23e6ba77948e3fead1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-01-08 15:29:30 +01:00
			`# Set checkreqprot by init.rc prior to switching to init domain.`
			`allow kernel self:security setcheckreqprot;`