commit dcfcdbdf49cb81c1133d4c421d138ac0ec073c68
author Nick Kralevich <nnk@google.com> Tue May 20 15:59:48 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue May 20 15:59:48 2014 +0000
tree c777089aeccf032e0564a1f8aed9609ef4e96093
parent 77c00a68fe1115cafa79dc0fcf7ab9adb98e37f0
parent 8aa754c9bef003d9429a44e86043661979b75e7b

Merge "Don't allow ptrace on keystore"

domain.te

diff --git a/domain.te b/domain.te
index 0bd9ad0..029d20a 100644
--- a/domain.te
+++ b/domain.te
@@ -150,9 +150,11 @@
 #
 allow domain unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
 allow domain unlabeled:dir { create_dir_perms relabelfrom };
-auditallow { domain -init } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-auditallow { domain -init -kernel } unlabeled:dir { create_dir_perms relabelfrom };
+auditallow { domain -init -installd } unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+auditallow { domain -init -kernel -installd } unlabeled:dir { create_dir_perms relabelfrom };
 auditallow kernel unlabeled:dir ~search;
+auditallow installd unlabeled:dir ~{ getattr search relabelfrom };
+auditallow installd unlabeled:notdevfile_class_set ~{ getattr relabelfrom };
 
 ###
 ### neverallow rules

unconfined.te

diff --git a/unconfined.te b/unconfined.te
index 8eda097..5a23c3f 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -16,7 +16,7 @@
 # The use of this template is discouraged.
 ######################################################
 
-allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control };
+allow unconfineddomain self:capability ~{ sys_ptrace sys_rawio mknod sys_module audit_write audit_control linux_immutable };
 allow unconfineddomain self:capability2 ~{ mac_override mac_admin };
 allow unconfineddomain kernel:security ~{ load_policy setenforce setcheckreqprot setbool setsecparam };
 allow unconfineddomain kernel:system *;