3235f61aa8
Remove /data/security and setprop selinux.reload_policy access from unconfineddomain, and only add back what is needed to init (system_server already gets the required allow rules via the selinux_manage_policy macro). init (via init.rc post-fs-data) originally creates /data/security and may later restorecon it. init also sets the property (also from init.rc post-fs-data) to trigger a reload once /data is mounted. The system_server (SELinuxPolicyInstallReceiver in particular) creates subdirectories under /data/security for updates, writes files to these subdirectories, creates the /data/security/current symlink to the update directory, and sets the property to trigger a reload when an update bundle is received. Add neverallow rules to ensure that we do not allow undesired access to security_file or security_prop. This is only truly meaningful if the support for /data/security policies is restored, but is harmless otherwise. Also drop the persist.mmac property_contexts entry; it was never used in AOSP, only in our tree (for middleware MAC) and is obsolete. Change-Id: I5ad5e3b6fc7abaafd314d31723f37b708d8fcf89 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
65 lines
2.4 KiB
Text
65 lines
2.4 KiB
Text
# init switches to init domain (via init.rc).
|
|
type init, domain;
|
|
# init is unconfined.
|
|
unconfined_domain(init)
|
|
tmpfs_domain(init)
|
|
|
|
allow init self:capability { sys_rawio mknod };
|
|
|
|
# Running e2fsck or mkswap via fs_mgr.
|
|
allow init dev_type:blk_file rw_file_perms;
|
|
|
|
# Mounting filesystems.
|
|
allow init fs_type:filesystem *;
|
|
allow init unlabeled:filesystem *;
|
|
|
|
# restorecon and restorecon_recursive calls from init.rc files.
|
|
# system/core/init.rc requires at least cache_file and data_file_type.
|
|
# init.<board>.rc files often include device-specific types, so
|
|
# we just allow all file types except /system files here.
|
|
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
|
|
|
|
# Unlabeled file access for upgrades from 4.2.
|
|
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
|
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
|
|
|
# Create /data/security from init.rc post-fs-data.
|
|
allow init security_file:dir { create setattr };
|
|
|
|
# setprop selinux.reload_policy 1 from init.rc post-fs-data.
|
|
allow init security_prop:property_service set;
|
|
|
|
# Reload policy upon setprop selinux.reload_policy 1.
|
|
r_dir_file(init, security_file)
|
|
allow init kernel:security load_policy;
|
|
|
|
# Any operation that can modify the kernel ring buffer, e.g. clear
|
|
# or a read that consumes the messages that were read.
|
|
allow init kernel:system syslog_mod;
|
|
|
|
# Set usermodehelpers and /proc security settings.
|
|
allow init usermodehelper:file rw_file_perms;
|
|
allow init proc_security:file rw_file_perms;
|
|
|
|
# Transitions to seclabel processes in init.rc
|
|
allow init adbd:process transition;
|
|
allow init healthd:process transition;
|
|
allow init recovery:process transition;
|
|
allow init shell:process transition;
|
|
allow init ueventd:process transition;
|
|
allow init watchdogd:process transition;
|
|
|
|
# Init creates keystore's directory on boot, and walks through
|
|
# the directory as part of a recursive restorecon.
|
|
allow init keystore_data_file:dir { open create read getattr setattr search };
|
|
allow init keystore_data_file:file { getattr };
|
|
|
|
# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
|
|
# setexec is for services with seclabel options.
|
|
# setfscreate is for labeling directories and socket files.
|
|
# setsockcreate is for labeling local/unix domain sockets.
|
|
allow init self:process { setexec setfscreate setsockcreate };
|
|
|
|
# Create /data/property and files within it.
|
|
allow init property_data_file:dir create_dir_perms;
|
|
allow init property_data_file:file create_file_perms;
|