f3c3a1aa33
execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
10 lines
455 B
Text
10 lines
455 B
Text
# Restricted domain for shell processes spawned by init.
|
|
# Normally these are shell commands or scripts invoked via sh
|
|
# from an init*.rc file. No service should ever run in this domain.
|
|
type init_shell, domain;
|
|
domain_auto_trans(init, shell_exec, init_shell)
|
|
permissive_or_unconfined(init_shell)
|
|
|
|
# Run helpers from / or /system without changing domain.
|
|
allow init_shell rootfs:file execute_no_trans;
|
|
allow init_shell system_file:file execute_no_trans;
|