-
Stephen Smalley authored
execute_no_trans controls whether a domain can execve a program without switching to another domain. Exclude this permission from unconfineddomain, add it back to init, init_shell, and recovery for files in / and /system, and to kernel for files in / (to permit execution of init prior to setcon). Prohibit it otherwise for the kernel domain via neverallow. This ensures that if a kernel task attempts to execute a kernel usermodehelper for which no domain transition is defined, the exec will fail. Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
f3c3a1aa
init_shell.te 455 B
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type init_shell, domain;
domain_auto_trans(init, shell_exec, init_shell)
permissive_or_unconfined(init_shell)
# Run helpers from / or /system without changing domain.
allow init_shell rootfs:file execute_no_trans;
allow init_shell system_file:file execute_no_trans;