platform_system_sepolicy/init.te
Stephen Smalley 3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00

25 lines
841 B
Text

# init switches to init domain (via init.rc).
type init, domain;
# init is unconfined.
unconfined_domain(init)
tmpfs_domain(init)
relabelto_domain(init)
# add a rule to handle unlabelled mounts
allow init unlabeled:filesystem mount;
allow init self:capability { sys_rawio mknod };
allow init dev_type:blk_file rw_file_perms;
allow init fs_type:filesystem *;
allow init {fs_type dev_type file_type}:dir_file_class_set relabelto;
allow init kernel:security load_policy;
allow init usermodehelper:file rw_file_perms;
allow init proc_security:file rw_file_perms;
# Transitions to seclabel processes in init.rc
allow init adbd:process transition;
allow init healthd:process transition;
allow init recovery:process transition;
allow init shell:process transition;
allow init ueventd:process transition;
allow init watchdogd:process transition;