SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
This commit is contained in:
Elliott Hughes
parent
934cf6eaf0
commit
46e832f562
4 changed files with 33 additions and 29 deletions
|
|
@ -299,7 +299,8 @@ neverallow { domain -init } property_data_file:file no_w_file_perms;
|
|||
|
||||
# Only recovery should be doing writes to /system
|
||||
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
||||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
{ create write setattr relabelfrom append unlink link rename };
|
||||
neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
|
||||
|
||||
# Don't allow mounting on top of /system files or directories
|
||||
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
# Executables
|
||||
/charger u:object_r:rootfs:s0
|
||||
/init u:object_r:rootfs:s0
|
||||
/init u:object_r:init_exec:s0
|
||||
/sbin(/.*)? u:object_r:rootfs:s0
|
||||
|
||||
# Empty directories
|
||||
|
|
|
|||
29
init.te
29
init.te
|
|
@ -1,7 +1,22 @@
|
|||
# init switches to init domain (via init.rc).
|
||||
# init is its own domain.
|
||||
type init, domain, mlstrustedsubject;
|
||||
tmpfs_domain(init)
|
||||
|
||||
# The init domain is entered by execing init.
|
||||
type init_exec, exec_type, file_type;
|
||||
|
||||
# /dev/__null__ node created by init.
|
||||
allow init tmpfs:chr_file create_file_perms;
|
||||
|
||||
#
|
||||
# init direct restorecon calls.
|
||||
#
|
||||
# /dev/socket
|
||||
allow init { device socket_device }:dir relabelto;
|
||||
# /dev/__properties__
|
||||
allow init tmpfs:file relabelfrom;
|
||||
allow init properties_device:file relabelto;
|
||||
|
||||
# setrlimit
|
||||
allow init self:capability sys_resource;
|
||||
|
||||
|
|
@ -30,6 +45,8 @@ allow init self:capability sys_admin;
|
|||
allow init rootfs:dir create_dir_perms;
|
||||
allow init rootfs:dir mounton;
|
||||
|
||||
allow init proc:dir mounton;
|
||||
|
||||
# Mount on /dev/usb-ffs/adb.
|
||||
allow init device:dir mounton;
|
||||
|
||||
|
|
@ -144,8 +161,8 @@ recovery_only(`
|
|||
domain_trans(init, rootfs, recovery)
|
||||
')
|
||||
domain_trans(init, shell_exec, shell)
|
||||
domain_trans(init, rootfs, ueventd)
|
||||
domain_trans(init, rootfs, watchdogd)
|
||||
domain_trans(init, init_exec, ueventd)
|
||||
domain_trans(init, init_exec, watchdogd)
|
||||
|
||||
# Support "adb shell stop"
|
||||
allow init self:capability kill;
|
||||
|
|
@ -257,9 +274,9 @@ unix_socket_connect(init, vold, vold)
|
|||
|
||||
# The init domain is only entered via setcon from the kernel domain,
|
||||
# never via an exec-based transition.
|
||||
neverallow { domain -kernel} init:process dyntransition;
|
||||
neverallow domain init:process transition;
|
||||
neverallow init { file_type fs_type }:file entrypoint;
|
||||
neverallow domain init:process dyntransition;
|
||||
neverallow { domain -kernel} init:process transition;
|
||||
neverallow init { file_type fs_type -init_exec }:file entrypoint;
|
||||
|
||||
# Never read/follow symlinks created by shell or untrusted apps.
|
||||
neverallow init shell_data_file:lnk_file read;
|
||||
|
|
|
|||
28
kernel.te
28
kernel.te
|
|
@ -3,15 +3,11 @@ type kernel, domain, mlstrustedsubject;
|
|||
|
||||
allow kernel self:capability sys_nice;
|
||||
|
||||
# Run /init before we have switched domains.
|
||||
allow kernel rootfs:file execute_no_trans;
|
||||
|
||||
# /dev/__null__ node created by init prior to policy load.
|
||||
allow kernel tmpfs:chr_file rw_file_perms;
|
||||
|
||||
# setcon to init domain.
|
||||
allow kernel self:process setcurrent;
|
||||
allow kernel init:process dyntransition;
|
||||
# Allow init relabel itself.
|
||||
allow kernel rootfs:file relabelfrom;
|
||||
allow kernel init_exec:file relabelto;
|
||||
# TODO: investigate why we need this.
|
||||
allow kernel init:process share;
|
||||
|
||||
# cgroup filesystem initialization prior to setting the cgroup root directory label.
|
||||
allow kernel unlabeled:dir search;
|
||||
|
|
@ -20,18 +16,6 @@ allow kernel unlabeled:dir search;
|
|||
allow kernel usbfs:filesystem mount;
|
||||
allow kernel usbfs:dir search;
|
||||
|
||||
# init direct restorecon calls prior to switching to init domain
|
||||
# /dev and /dev/socket
|
||||
allow kernel tmpfs:dir relabelfrom;
|
||||
allow kernel { device socket_device }:dir relabelto;
|
||||
# /dev/__properties__
|
||||
allow kernel tmpfs:file relabelfrom;
|
||||
allow kernel properties_device:file relabelto;
|
||||
# /sys
|
||||
allow kernel sysfs:{ dir file lnk_file } relabelfrom;
|
||||
allow kernel sysfs_type:{ dir file lnk_file } relabelto;
|
||||
allow kernel sysfs_type:dir r_dir_perms;
|
||||
|
||||
# Initial setenforce by init prior to switching to init domain.
|
||||
# We use dontaudit instead of allow to prevent a kernel spawned userspace
|
||||
# process from turning off SELinux once enabled.
|
||||
|
|
@ -58,6 +42,8 @@ allow kernel vold:fd use;
|
|||
allow kernel app_data_file:file read;
|
||||
allow kernel asec_image_file:file read;
|
||||
|
||||
domain_auto_trans(kernel, init_exec, init)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
Loading…
Reference in a new issue