SELinux policy changes for re-execing init.
Change-Id: I5eca4f1f0f691be7c25e463563e0a4d2ac737448
diff --git a/domain.te b/domain.te
index c7fe3be..7bc2292 100644
--- a/domain.te
+++ b/domain.te
@@ -299,7 +299,8 @@
# Only recovery should be doing writes to /system
neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
+ { create write setattr relabelfrom append unlink link rename };
+neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow domain { system_file exec_type }:dir_file_class_set mounton;
diff --git a/file_contexts b/file_contexts
index e36a6c3..0fc096d 100644
--- a/file_contexts
+++ b/file_contexts
@@ -12,7 +12,7 @@
# Executables
/charger u:object_r:rootfs:s0
-/init u:object_r:rootfs:s0
+/init u:object_r:init_exec:s0
/sbin(/.*)? u:object_r:rootfs:s0
# Empty directories
diff --git a/init.te b/init.te
index 78f460a..9f68bb8 100644
--- a/init.te
+++ b/init.te
@@ -1,7 +1,22 @@
-# init switches to init domain (via init.rc).
+# init is its own domain.
type init, domain, mlstrustedsubject;
tmpfs_domain(init)
+# The init domain is entered by execing init.
+type init_exec, exec_type, file_type;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file create_file_perms;
+
+#
+# init direct restorecon calls.
+#
+# /dev/socket
+allow init { device socket_device }:dir relabelto;
+# /dev/__properties__
+allow init tmpfs:file relabelfrom;
+allow init properties_device:file relabelto;
+
# setrlimit
allow init self:capability sys_resource;
@@ -30,6 +45,8 @@
allow init rootfs:dir create_dir_perms;
allow init rootfs:dir mounton;
+allow init proc:dir mounton;
+
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -144,8 +161,8 @@
domain_trans(init, rootfs, recovery)
')
domain_trans(init, shell_exec, shell)
-domain_trans(init, rootfs, ueventd)
-domain_trans(init, rootfs, watchdogd)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
# Support "adb shell stop"
allow init self:capability kill;
@@ -257,9 +274,9 @@
# The init domain is only entered via setcon from the kernel domain,
# never via an exec-based transition.
-neverallow { domain -kernel} init:process dyntransition;
-neverallow domain init:process transition;
-neverallow init { file_type fs_type }:file entrypoint;
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel} init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
# Never read/follow symlinks created by shell or untrusted apps.
neverallow init shell_data_file:lnk_file read;
diff --git a/kernel.te b/kernel.te
index f570ac2..72325c2 100644
--- a/kernel.te
+++ b/kernel.te
@@ -3,15 +3,11 @@
allow kernel self:capability sys_nice;
-# Run /init before we have switched domains.
-allow kernel rootfs:file execute_no_trans;
-
-# /dev/__null__ node created by init prior to policy load.
-allow kernel tmpfs:chr_file rw_file_perms;
-
-# setcon to init domain.
-allow kernel self:process setcurrent;
-allow kernel init:process dyntransition;
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
# cgroup filesystem initialization prior to setting the cgroup root directory label.
allow kernel unlabeled:dir search;
@@ -20,18 +16,6 @@
allow kernel usbfs:filesystem mount;
allow kernel usbfs:dir search;
-# init direct restorecon calls prior to switching to init domain
-# /dev and /dev/socket
-allow kernel tmpfs:dir relabelfrom;
-allow kernel { device socket_device }:dir relabelto;
-# /dev/__properties__
-allow kernel tmpfs:file relabelfrom;
-allow kernel properties_device:file relabelto;
-# /sys
-allow kernel sysfs:{ dir file lnk_file } relabelfrom;
-allow kernel sysfs_type:{ dir file lnk_file } relabelto;
-allow kernel sysfs_type:dir r_dir_perms;
-
# Initial setenforce by init prior to switching to init domain.
# We use dontaudit instead of allow to prevent a kernel spawned userspace
# process from turning off SELinux once enabled.
@@ -58,6 +42,8 @@
allow kernel app_data_file:file read;
allow kernel asec_image_file:file read;
+domain_auto_trans(kernel, init_exec, init)
+
###
### neverallow rules
###
