Merge "Set SELinux security contexts correctly for init and services."
This commit is contained in:
Nick Kralevich
Gerrit Code Review
+11
@@ -1,6 +1,13 @@
|
|||||||
import /init.recovery.${ro.hardware}.rc
|
import /init.recovery.${ro.hardware}.rc
|
||||||
|
|
||||||
on early-init
|
on early-init
|
||||||
|
# Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
|
||||||
|
write /sys/fs/selinux/checkreqprot 0
|
||||||
|
|
||||||
|
# Set the security context for the init process.
|
||||||
|
# This should occur before anything else (e.g. ueventd) is started.
|
||||||
|
setcon u:r:init:s0
|
||||||
|
|
||||||
start ueventd
|
start ueventd
|
||||||
start healthd
|
start healthd
|
||||||
|
|
||||||
@@ -43,15 +50,19 @@ on property:sys.powerctl=*
|
|||||||
|
|
||||||
service ueventd /sbin/ueventd
|
service ueventd /sbin/ueventd
|
||||||
critical
|
critical
|
||||||
|
seclabel u:r:ueventd:s0
|
||||||
|
|
||||||
service healthd /sbin/healthd -n
|
service healthd /sbin/healthd -n
|
||||||
critical
|
critical
|
||||||
|
seclabel u:r:healthd:s0
|
||||||
|
|
||||||
service recovery /sbin/recovery
|
service recovery /sbin/recovery
|
||||||
|
seclabel u:r:recovery:s0
|
||||||
|
|
||||||
service adbd /sbin/adbd recovery
|
service adbd /sbin/adbd recovery
|
||||||
disabled
|
disabled
|
||||||
socket adbd stream 660 system system
|
socket adbd stream 660 system system
|
||||||
|
seclabel u:r:adbd:s0
|
||||||
|
|
||||||
# Always start adbd on userdebug and eng builds
|
# Always start adbd on userdebug and eng builds
|
||||||
on property:ro.debuggable=1
|
on property:ro.debuggable=1
|
||||||
|
|||||||
Reference in New Issue
Block a user