From 5487ca00d4788de367a9d099714f6df4d86ef261 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 10 Feb 2014 16:31:04 -0500
Subject: Remove several superuser capabilities from unconfined domains.

Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 recovery.te | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'recovery.te')

diff --git a/recovery.te b/recovery.te
index 37d6455..ea444c4 100644
--- a/recovery.te
+++ b/recovery.te
@@ -13,3 +13,7 @@ allow recovery fs_type:filesystem *;
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
-- 
cgit v1.2.3