5487ca00d4
Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
19 lines
686 B
Text
19 lines
686 B
Text
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
type recovery, domain;
|
|
allow recovery rootfs:file entrypoint;
|
|
unconfined_domain(recovery)
|
|
relabelto_domain(recovery)
|
|
|
|
allow recovery self:capability2 mac_admin;
|
|
|
|
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
|
|
allow recovery unlabeled:filesystem mount;
|
|
allow recovery fs_type:filesystem *;
|
|
|
|
allow recovery self:process execmem;
|
|
allow recovery ashmem_device:chr_file execute;
|
|
allow recovery tmpfs:file rx_file_perms;
|
|
|
|
## TODO: Investigate whether it is safe to remove these
|
|
allow recovery self:capability { sys_rawio mknod };
|
|
auditallow recovery self:capability { sys_rawio mknod };
|