init: refuse to start process if domain transition not defined
When SELinux is in enforcing mode, any process executed by init must have a domain transition defined. See https://android-review.googlesource.com/108640 for details. This prevents an executable spawned by init from remaining in init's (very powerful) SELinux domain. However, this is only enforced when SELinux is in enforcing mode. During new device bringup, it's common to run an Android device in globally permissive mode. In globally permissive mode, SELinux denials are logged only, but otherwise ignored. If appropriate SELinux domain transitions are not defined from init to init spawned processes, this could cause misleading SELinux denials attributed to init instead of the child process. To help address these misleading denials, modify init to not spawn processes unless a domain transition is defined. This essentially enforces the rules in https://android-review.googlesource.com/108640 on both permissive and enforcing kernels. While I'm here, change some "freecon()" calls to "free()", with the long term goal of deleting freecon() entirely. Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
Loading
Please register or sign in to comment