fea6e66fad
As per the discussion in: https://android-review.googlesource.com/#/c/71184/ init sets the enforcing mode in its code prior to switching to the init domain via a setcon command in the init.rc file. Hence, the setenforce permission is checked while still running in the kernel domain. Further, as init has no reason to ever set the enforcing mode again, we do not need to allow setenforce to the init domain and this prevents reverting to permissive mode via an errant write by init later. We could technically dontaudit the kernel setenforce access instead since the first call to setenforce happens while still permissive (and thus we never need to allow it in policy) but we allow it to more accurately represent what is possible. Change-Id: I70b5e6d8c99e0566145b9c8df863cc8a34019284 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
11 lines
349 B
Text
11 lines
349 B
Text
# Life begins with the kernel.
|
|
type kernel, domain;
|
|
# The kernel is unconfined.
|
|
unconfined_domain(kernel)
|
|
relabelto_domain(kernel)
|
|
|
|
allow kernel {fs_type dev_type file_type}:dir_file_class_set relabelto;
|
|
allow kernel unlabeled:filesystem mount;
|
|
|
|
# Initial setenforce by init prior to switching to init domain.
|
|
allow kernel self:security setenforce;
|