Commits

Stephen Smalley committed 2c9d5b2

Set SELinux security contexts correctly for init and services.

Otherwise everything is left running in the kernel domain when
booting recovery.

Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

  • Participants
  • Parent commits 617d1ca

Comments (0)

Files changed (1)

 import /init.recovery.${ro.hardware}.rc
 
 on early-init
+    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+    write /sys/fs/selinux/checkreqprot 0
+
+    # Set the security context for the init process.
+    # This should occur before anything else (e.g. ueventd) is started.
+    setcon u:r:init:s0
+
     start ueventd
     start healthd
 
 
 service ueventd /sbin/ueventd
     critical
+    seclabel u:r:ueventd:s0
 
 service healthd /sbin/healthd -n
     critical
+    seclabel u:r:healthd:s0
 
 service recovery /sbin/recovery
+    seclabel u:r:recovery:s0
 
 service adbd /sbin/adbd recovery
     disabled
     socket adbd stream 660 system system
+    seclabel u:r:adbd:s0
 
 # Always start adbd on userdebug and eng builds
 on property:ro.debuggable=1