Remove several superuser capabilities from unconfined domains. Remove sys_ptrace and add a neverallow for it. Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery, and add a neverallow for them. Remove sys_module. It can be added back where appropriate in device policy if using a modular kernel. No neverallow since it is device specific. Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 5487ca00d4788de367a9d099714f6df4d86ef261 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Mon Feb 10 16:31:04 2014 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Feb 12 11:14:16 2014 -0500
tree: df70addd5d6e49779734f0562823d0fc6920bbd1
parent: 3db328fd2c7d6b396a4a2f6204841a26d7783939 [diff] [blame]
diff --git a/recovery.te b/recovery.te
index 37d6455..ea444c4 100644
--- a/recovery.te
+++ b/recovery.te

@@ -13,3 +13,7 @@
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
+
+## TODO: Investigate whether it is safe to remove these
+allow recovery self:capability { sys_rawio mknod };
+auditallow recovery self:capability { sys_rawio mknod };
commit	5487ca00d4788de367a9d099714f6df4d86ef261	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Mon Feb 10 16:31:04 2014 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Feb 12 11:14:16 2014 -0500
tree	df70addd5d6e49779734f0562823d0fc6920bbd1
parent	3db328fd2c7d6b396a4a2f6204841a26d7783939 [diff] [blame]