tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Allow init to relabel rootfs files."

Browse source
This commit is contained in:
Nick Kralevich 2014-06-23 15:35:53 +00:00 committed by Gerrit Code Review
commit 2e14164cf3
2 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
domain.te
View file

@ -278,7 +278,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename }; { create write setattr relabelfrom relabelto append unlink link rename };
# Nothing should be writing to files in the rootfs. # Nothing should be writing to files in the rootfs.
neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename }; neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with # Restrict context mounts to specific types marked with
# the contextmount_type attribute. # the contextmount_type attribute.

3
init.te
View file

@ -28,6 +28,9 @@ allow init contextmount_type:filesystem relabelto;
allow init contextmount_type:dir r_dir_perms; allow init contextmount_type:dir r_dir_perms;
allow init contextmount_type:notdevfile_class_set r_file_perms; allow init contextmount_type:notdevfile_class_set r_file_perms;
# restorecon /adb_keys or any other rootfs files to a more specific type.
allow init rootfs:file relabelfrom;
# restorecon and restorecon_recursive calls from init.rc files. # restorecon and restorecon_recursive calls from init.rc files.
# system/core/init.rc requires at least cache_file and data_file_type. # system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so # init.<board>.rc files often include device-specific types, so