Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / fed8a2a4d998ac7c8c4ebce585e5de14e95af10b^! / .
commitfed8a2a4d998ac7c8c4ebce585e5de14e95af10b[log] [tgz]
authorNick Kralevich <nnk@google.com>Fri Jan 24 20:43:07 2014 -0800
committerNick Kralevich <nnk@google.com>Mon Jan 27 11:06:21 2014 -0800
treeb406677e268d4b82bbf98b1c0a343fd21b42bc46
parent76d14766dd6aa854bf047a60c1d99c2d429bd3b2 [diff]
Remove transition / dyntransition from unconfined

Require all domain transitions or dyntransitions to be
explicitly specified in SELinux policy.

healthd: Remove healthd_exec / init_daemon_domain().
Healthd lives on the rootfs and has no unique file type.
It should be treated consistent with other similar domains.

Change-Id: Ief3c1167379cfb5383073fa33c9a95710a883b29

diff --git a/healthd.te b/healthd.te
index 125ced0..02c7ba8 100644
--- a/healthd.te
+++ b/healthd.te

@@ -1,9 +1,7 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
 
-init_daemon_domain(healthd)
 allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 # /dev/__null__ created by init prior to policy load,

diff --git a/init.te b/init.te
index abe5e78..bab0df3 100644
--- a/init.te
+++ b/init.te

@@ -11,3 +11,11 @@
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;

diff --git a/kernel.te b/kernel.te
index 4ccce20..dfc6258 100644
--- a/kernel.te
+++ b/kernel.te

@@ -1,5 +1,8 @@
 # Life begins with the kernel.
 type kernel, domain;
+
+allow kernel init:process dyntransition;
+
 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)

diff --git a/unconfined.te b/unconfined.te
index 44ba046..9facc2e 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;