am 4abd409a: Relax neverallow rule for loading an updated SELinux policy.
* commit '4abd409af0e7d7fb908e5f04fa1ed946e2996dce': Relax neverallow rule for loading an updated SELinux policy.
This commit is contained in:
Nick Kralevich
Android Git Automerger
commit
b1a14d9b7f
1 changed files with 3 additions and 2 deletions
|
|
@ -209,10 +209,11 @@ neverallow domain self:capability2 mac_override;
|
|||
# Only recovery needs mac_admin to set contexts not defined in current policy.
|
||||
neverallow { domain -recovery } self:capability2 mac_admin;
|
||||
|
||||
# Nobody should be able to load a new SELinux policy.
|
||||
# Only init should be able to load SELinux policies.
|
||||
# The first load technically occurs while still in the kernel domain,
|
||||
# but this does not trigger a denial since there is no policy yet.
|
||||
neverallow domain kernel:security load_policy;
|
||||
# Policy reload requires allowing this to the init domain.
|
||||
neverallow { domain -init } kernel:security load_policy;
|
||||
|
||||
# Only init and the system_server can set selinux.reload_policy 1
|
||||
# to trigger a policy reload.
|
||||
|
|
|
|||
Loading…
Reference in a new issue