From 2c9d5b2839307987812db8a939d88272b865bacc Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 13 Jan 2014 09:44:42 -0500
Subject: Set SELinux security contexts correctly for init and services.

Otherwise everything is left running in the kernel domain when
booting recovery.

Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 etc/init.rc | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'etc')

diff --git a/etc/init.rc b/etc/init.rc
index 1754890..5f9ce80 100644
--- a/etc/init.rc
+++ b/etc/init.rc
@@ -1,6 +1,13 @@
 import /init.recovery.${ro.hardware}.rc
 
 on early-init
+    # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+    write /sys/fs/selinux/checkreqprot 0
+
+    # Set the security context for the init process.
+    # This should occur before anything else (e.g. ueventd) is started.
+    setcon u:r:init:s0
+
     start ueventd
     start healthd
 
@@ -43,15 +50,19 @@ on property:sys.powerctl=*
 
 service ueventd /sbin/ueventd
     critical
+    seclabel u:r:ueventd:s0
 
 service healthd /sbin/healthd -n
     critical
+    seclabel u:r:healthd:s0
 
 service recovery /sbin/recovery
+    seclabel u:r:recovery:s0
 
 service adbd /sbin/adbd recovery
     disabled
     socket adbd stream 660 system system
+    seclabel u:r:adbd:s0
 
 # Always start adbd on userdebug and eng builds
 on property:ro.debuggable=1
-- 
cgit v1.1