diff options
Diffstat (limited to 'kernel.te')
-rw-r--r-- | kernel.te | 35 |
1 files changed, 17 insertions, 18 deletions
@@ -1,41 +1,36 @@ # Life begins with the kernel. -type kernel, domain; +type kernel, domain, mlstrustedsubject; -# Run /init before we have switched domains. -allow kernel rootfs:file execute_no_trans; +allow kernel self:capability sys_nice; -# setcon to init domain. -allow kernel self:process setcurrent; -allow kernel init:process dyntransition; - -# The kernel is unconfined. -unconfined_domain(kernel) +# Allow init relabel itself. +allow kernel rootfs:file relabelfrom; +allow kernel init_exec:file relabelto; +# TODO: investigate why we need this. +allow kernel init:process share; # cgroup filesystem initialization prior to setting the cgroup root directory label. allow kernel unlabeled:dir search; # Mount usbfs. allow kernel usbfs:filesystem mount; - -# init direct restorecon calls prior to switching to init domain -# /dev and /dev/socket -allow kernel { device socket_device }:dir relabelto; -# /dev/__properties__ -allow kernel properties_device:file relabelto; -# /sys -allow kernel sysfs:{ dir file lnk_file } relabelfrom; -allow kernel sysfs_type:{ dir file lnk_file } relabelto; +allow kernel usbfs:dir search; # Initial setenforce by init prior to switching to init domain. # We use dontaudit instead of allow to prevent a kernel spawned userspace # process from turning off SELinux once enabled. dontaudit kernel self:security setenforce; +# Write to /proc/1/oom_adj prior to switching to init domain. +allow kernel self:capability sys_resource; + # Set checkreqprot by init.rc prior to switching to init domain. +allow kernel selinuxfs:file write; allow kernel self:security setcheckreqprot; # MTP sync (b/15835289) # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723) +allow kernel untrusted_app:fd use; allow kernel sdcard_type:file { read write }; # Allow the kernel to read OBB files from app directories. (b/17428116) @@ -43,7 +38,11 @@ allow kernel sdcard_type:file { read write }; # Fixes CTS tests: # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal # * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs +allow kernel vold:fd use; allow kernel app_data_file:file read; +allow kernel asec_image_file:file read; + +domain_auto_trans(kernel, init_exec, init) ### ### neverallow rules |