Merge "init.te: delete kernel load policy support" into mnc-dev
This commit is contained in:
Nick Kralevich
Android (Google) Code Review
commit
dde8290372
2 changed files with 2 additions and 4 deletions
|
|
@ -208,11 +208,10 @@ neverallow domain self:capability2 mac_override;
|
|||
# Only recovery needs mac_admin to set contexts not defined in current policy.
|
||||
neverallow { domain -recovery } self:capability2 mac_admin;
|
||||
|
||||
# Only init should be able to load SELinux policies.
|
||||
# Nobody should be able to load a new SELinux policy.
|
||||
# The first load technically occurs while still in the kernel domain,
|
||||
# but this does not trigger a denial since there is no policy yet.
|
||||
# Policy reload requires allowing this to the init domain.
|
||||
neverallow { domain -init } kernel:security load_policy;
|
||||
neverallow domain kernel:security load_policy;
|
||||
|
||||
# Only init and the system_server can set selinux.reload_policy 1
|
||||
# to trigger a policy reload.
|
||||
|
|
|
|||
1
init.te
1
init.te
|
|
@ -123,7 +123,6 @@ allow init security_file:dir { create setattr };
|
|||
|
||||
# Reload policy upon setprop selinux.reload_policy 1.
|
||||
r_dir_file(init, security_file)
|
||||
allow init kernel:security load_policy;
|
||||
|
||||
# Any operation that can modify the kernel ring buffer, e.g. clear
|
||||
# or a read that consumes the messages that were read.
|
||||
|
|
|
|||
Loading…
Reference in a new issue