Merge "Remove system_server and zygote unlabeled execute access."

commit: f197f8ce4a117e4134204a82d178d8d9ee753d3b [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Feb 28 21:35:15 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Feb 28 21:35:15 2014 +0000
tree: 866103a4215992637722736f6077018492663380
parent: b19a191af6d5cc6567739c0536a9519e16aa45f4 [diff]
parent: 37afd3f6c337a6914de36ec8658593b523f32e3d [diff]
diff --git a/lmkd.te b/lmkd.te
index 8643d91..a8b52c3 100644
--- a/lmkd.te
+++ b/lmkd.te

@@ -4,7 +4,7 @@
 
 init_daemon_domain(lmkd)
 
-allow lmkd self:capability { dac_override sys_resource };
+allow lmkd self:capability { dac_override sys_resource kill };
 
 ## Open and write to /proc/PID/oom_score_adj
 ## TODO: maybe scope this down?

diff --git a/uncrypt.te b/uncrypt.te
index f62fbbf..265a8b1 100644
--- a/uncrypt.te
+++ b/uncrypt.te

@@ -27,3 +27,4 @@
 # Raw writes to block device
 allow uncrypt self:capability sys_rawio;
 allow uncrypt block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
commit	f197f8ce4a117e4134204a82d178d8d9ee753d3b	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Feb 28 21:35:15 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Feb 28 21:35:15 2014 +0000
tree	866103a4215992637722736f6077018492663380
parent	b19a191af6d5cc6567739c0536a9519e16aa45f4 [diff]
parent	37afd3f6c337a6914de36ec8658593b523f32e3d [diff]