Allow init to mount filesystems on properly labeled folders

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
2015-07-23 21:01:13 -07:00 · 2015-07-23 21:01:13 -07:00 · e244f2d355
commit e244f2d355
parent d21855824d
2 changed files with 3 additions and 2 deletions
--- a/domain.te
+++ b/domain.te
@ -327,7 +327,8 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;

 # Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;

 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
--- a/init.te
+++ b/init.te
@ -43,7 +43,7 @@ allow init self:capability sys_admin;

 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;

 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;