Improve sepolicy labeling and domain confinement.
* Move certain services out of inits domain.
inits domain is unconfined and we should
be limiting those services that need to
run in inits context. For the new domains
introduced, keep them permissive and unconfined
for now until future policy work will individually
drop these constraints.
* Add context option to fstab when mounting
the firmware partition. This will ensure
proper labeling and not use the default vfat
label of sdcard_external.
* Use concatenation versus assignment when making
policy declarations inside BoardConfig.mk. This
will allow sepolicy to exist in the vendor
directory.
Change-Id: I93c7413bf2a8ceb7589f059e754c4b2a787fdbaf
Signed-off-by: rpcraig <[email protected]>
diff --git a/fstab.mako b/fstab.mako
index 3ae7c2a..2cee35c 100644
--- a/fstab.mako
+++ b/fstab.mako
@@ -7,7 +7,7 @@
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 noatime,nosuid,nodev,barrier=1,data=ordered wait,check
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 noatime,nosuid,nodev,barrier=1,data=ordered,noauto_da_alloc wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/metadata
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 nosuid,nodev,barrier=1,data=ordered,nodelalloc wait
-/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,uid=1000,gid=1000,dmask=227,fmask=337 wait
+/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,uid=1000,gid=1000,dmask=227,fmask=337,context=u:object_r:radio_efs_file:s0 wait
/dev/block/platform/msm_sdcc.1/by-name/boot /boot emmc defaults defaults
/dev/block/platform/msm_sdcc.1/by-name/recovery /recovery emmc defaults defaults
/dev/block/platform/msm_sdcc.1/by-name/misc /misc emmc defaults defaults
