Allow init to mount filesystems on properly labeled folders

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac

Allow init to mount filesystems on properly labeled folders
Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
f3500608 · Daniel Rosenberg · Rom Lemarchand · 1c749e07 · f3500608 · f3500608
Commit f3500608 authored 9 years ago by Daniel Rosenberg Committed by Rom Lemarchand 9 years ago
--- a/domain.te
+++ b/domain.te
@@ -312,7 +312,8 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;

 # Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;

 # Nothing should be writing to files in the rootfs.
 neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };

--- a/init.te
+++ b/init.te
@@ -43,7 +43,7 @@ allow init self:capability sys_admin;

 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;

 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;