diff options
| author | Nick Kralevich <nnk@google.com> | 2015-07-16 10:49:51 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2015-07-16 11:32:19 -0700 |
| commit | 4800dbf1da2b7d866c67c7375a55057f2b6c6d52 (patch) | |
| tree | 63aaa93ce048343e6d5d257034c8f1e429d976bc /libcutils/socket_local_server_unix.cpp | |
| parent | 759717ee63f7d8a75089bc4adc308d190ec6b0ac (diff) | |
init: refuse to start process if domain transition not defined
When SELinux is in enforcing mode, any process executed by
init must have a domain transition defined. See
https://android-review.googlesource.com/108640 for details. This
prevents an executable spawned by init from remaining in init's
(very powerful) SELinux domain.
However, this is only enforced when SELinux is in enforcing mode.
During new device bringup, it's common to run an Android device
in globally permissive mode. In globally permissive mode, SELinux
denials are logged only, but otherwise ignored. If appropriate
SELinux domain transitions are not defined from init to init spawned
processes, this could cause misleading SELinux denials attributed
to init instead of the child process.
To help address these misleading denials, modify init to not spawn
processes unless a domain transition is defined. This essentially
enforces the rules in https://android-review.googlesource.com/108640
on both permissive and enforcing kernels.
While I'm here, change some "freecon()" calls to "free()", with the
long term goal of deleting freecon() entirely.
Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
Diffstat (limited to 'libcutils/socket_local_server_unix.cpp')
0 files changed, 0 insertions, 0 deletions