commit dffe634b1c4ffe900ea7bf29fb8280fb8fc6cd72
author Nick Kralevich <nnk@google.com> Mon Jan 27 23:09:47 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jan 27 23:09:47 2014 +0000
tree 5a9054c228e35ff4b17d805281f57c83bb2ab641
parent 1935173896944ee378c88e48d581047d7aa5e84d
parent 5eca63f14dbeb6962b275d091fd5e5f3ff9ef183

Merge "Make drmserver enforcing."

adbd.te

diff --git a/adbd.te b/adbd.te
index 8614819..28fa5e5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -3,7 +3,6 @@
 type adbd, domain;
 
 userdebug_or_eng(`
-  permissive adbd;
   allow adbd su:process dyntransition;
 ')
 

healthd.te

diff --git a/healthd.te b/healthd.te
index 125ced0..02c7ba8 100644
--- a/healthd.te
+++ b/healthd.te
@@ -1,9 +1,7 @@
 # healthd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type healthd, domain;
-type healthd_exec, exec_type, file_type;
 
-init_daemon_domain(healthd)
 allow healthd rootfs:file { read entrypoint };
 write_klog(healthd)
 # /dev/__null__ created by init prior to policy load,

init.te

diff --git a/init.te b/init.te
index abe5e78..bab0df3 100644
--- a/init.te
+++ b/init.te
@@ -11,3 +11,11 @@
 allow init kernel:security load_policy;
 allow init usermodehelper:file rw_file_perms;
 allow init proc_security:file rw_file_perms;
+
+# Transitions to seclabel processes in init.rc
+allow init adbd:process transition;
+allow init healthd:process transition;
+allow init recovery:process transition;
+allow init shell:process transition;
+allow init ueventd:process transition;
+allow init watchdogd:process transition;

kernel.te

diff --git a/kernel.te b/kernel.te
index 4ccce20..dfc6258 100644
--- a/kernel.te
+++ b/kernel.te
@@ -1,5 +1,8 @@
 # Life begins with the kernel.
 type kernel, domain;
+
+allow kernel init:process dyntransition;
+
 # The kernel is unconfined.
 unconfined_domain(kernel)
 relabelto_domain(kernel)

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index 44ba046..9facc2e 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,7 +19,7 @@
 allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot };
 allow unconfineddomain kernel:system *;
-allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace };
+allow unconfineddomain domain:process ~{ execmem execstack execheap ptrace transition dyntransition };
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;