Merge "Make sure exec_type is assigned to all entrypoint types."

10f3c370 · Nick Kralevich · Gerrit Code Review · 5c947234 · 01301549 · 10f3c370
Commit 10f3c370 authored 11 years ago by Nick Kralevich Committed by Gerrit Code Review 11 years ago
--- a/domain.te
+++ b/domain.te
@@ -138,3 +138,6 @@ neverallow { domain -relabeltodomain } *:dir_file_class_set relabelto;

 # Only init should be able to load SELinux policies
 neverallow { domain -init } kernel:security load_policy;
+
+# Ensure that all entrypoint executables are in exec_type.
+neverallow domain { file_type -exec_type }:file entrypoint;
--- a/ping.te
+++ b/ping.te
 type ping, domain;
 permissive ping;
-type ping_exec, file_type;
+type ping_exec, exec_type, file_type;
 domain_auto_trans(shell, ping_exec, ping)
 unconfined_domain(ping)
--- a/runas.te
+++ b/runas.te
 type runas, domain;
-type runas_exec, file_type;
+type runas_exec, exec_type, file_type;
 permissive runas;
 unconfined_domain(runas)


--- a/shell.te
+++ b/shell.te
 # Domain for shell processes spawned by ADB
 type shell, domain;
-type shell_exec, file_type;
+type shell_exec, exec_type, file_type;
 unconfined_domain(shell)

 # Run app_process.

--- a/su.te
+++ b/su.te
 type su, domain;
 permissive su;
-type su_exec, file_type;
+type su_exec, exec_type, file_type;
 domain_auto_trans(shell, su_exec, su)

 # su is unconfined.

--- a/su_user.te
+++ b/su_user.te
 # File types must be defined for file_contexts.
-type su_exec, file_type;
+type su_exec, exec_type, file_type;

 # No allow rules