diff --git a/adbd.te b/adbd.te index 705f5f0a0..58fdead68 100644 --- a/adbd.te +++ b/adbd.te @@ -8,8 +8,6 @@ userdebug_or_eng(` ') domain_auto_trans(adbd, shell_exec, shell) -# this is an entrypoint -allow adbd rootfs:file entrypoint; # Do not sanitize the environment or open fds of the shell. allow adbd shell:process noatsecure; diff --git a/healthd.te b/healthd.te index 9832ac479..ce6b8778e 100644 --- a/healthd.te +++ b/healthd.te @@ -2,7 +2,6 @@ # it lives in the rootfs and has no unique file type. type healthd, domain; -allow healthd rootfs:file { read entrypoint }; write_klog(healthd) # /dev/__null__ created by init prior to policy load, # open fd inherited by healthd. diff --git a/init.te b/init.te index 191c57069..abd069099 100644 --- a/init.te +++ b/init.te @@ -60,12 +60,23 @@ allow init usermodehelper:file rw_file_perms; allow init proc_security:file rw_file_perms; # Transitions to seclabel processes in init.rc -allow init adbd:process transition; -allow init healthd:process transition; -allow init recovery:process transition; -allow init shell:process transition; -allow init ueventd:process transition; -allow init watchdogd:process transition; +domain_trans(init, rootfs, adbd) +domain_trans(init, rootfs, healthd) +recovery_only(` + domain_trans(init, rootfs, recovery) +') +domain_trans(init, shell_exec, shell) +domain_trans(init, rootfs, ueventd) +domain_trans(init, rootfs, watchdogd) + +# Certain domains need LD_PRELOAD passed from init. +# https://android-review.googlesource.com/94851 +# For now, allow it to all domains. +# TODO: scope this down. +allow init domain:process noatsecure; + +# Support "adb shell stop" +allow init domain:process sigkill; # Init creates keystore's directory on boot, and walks through # the directory as part of a recursive restorecon. @@ -92,6 +103,10 @@ allow init property_type:property_service set; # Run "ifup lo" to bring up the localhost interface allow init self:udp_socket { create ioctl }; +# This line seems suspect, as it should not really need to +# set scheduling parameters for a kernel domain task. +allow init kernel:process setsched; + ### ### neverallow rules ### diff --git a/recovery.te b/recovery.te index aac201b8d..75a024c07 100644 --- a/recovery.te +++ b/recovery.te @@ -7,8 +7,6 @@ type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. recovery_only(` - allow recovery rootfs:file { entrypoint execute }; - allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; # Set security contexts on files that are not known to the loaded policy. diff --git a/ueventd.te b/ueventd.te index d8ae16ce1..2e61e8852 100644 --- a/ueventd.te +++ b/ueventd.te @@ -4,7 +4,6 @@ type ueventd, domain; tmpfs_domain(ueventd) write_klog(ueventd) security_access_policy(ueventd) -allow ueventd rootfs:file entrypoint; allow ueventd init:process sigchld; allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner }; allow ueventd device:file create_file_perms; diff --git a/unconfined.te b/unconfined.te index 6b64fb95e..a76c3d8a9 100644 --- a/unconfined.te +++ b/unconfined.te @@ -20,27 +20,6 @@ allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module allow unconfineddomain self:capability2 ~{ mac_override mac_admin }; allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam }; allow unconfineddomain kernel:system ~{ syslog_read syslog_mod syslog_console }; -allow unconfineddomain domain:process { - fork - sigchld - sigkill - sigstop - signull - signal - getsched - setsched - getsession - getpgid - setpgid - getcap - setcap - share - getattr - noatsecure - siginh - setrlimit - rlimitinh -}; allow unconfineddomain domain:fd *; allow unconfineddomain domain:dir r_dir_perms; allow unconfineddomain domain:lnk_file r_file_perms; diff --git a/watchdogd.te b/watchdogd.te index be193eae5..ab9356000 100644 --- a/watchdogd.te +++ b/watchdogd.te @@ -1,6 +1,5 @@ # watchdogd seclabel is specified in init..rc type watchdogd, domain; -allow watchdogd rootfs:file { entrypoint r_file_perms }; allow watchdogd self:capability mknod; allow watchdogd device:dir { add_name write remove_name }; allow watchdogd watchdog_device:chr_file rw_file_perms;