Something went wrong on our end
-
Stephen Smalley authoredOnly allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by:
Stephen Smalley <sds@tycho.nsa.gov>Stephen Smalley authoredOnly allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
recovery.te 775 B
# recovery console (used in recovery init.rc for /sbin/recovery)
type recovery, domain;
allow recovery rootfs:file entrypoint;
unconfined_domain(recovery)
relabelto_domain(recovery)
allow recovery self:capability2 mac_admin;
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
allow recovery unlabeled:filesystem mount;
allow recovery fs_type:filesystem *;
# Required to e.g. wipe userdata/cache.
allow recovery dev_type:blk_file rw_file_perms;
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;
## TODO: Investigate whether it is safe to remove these
allow recovery self:capability { sys_rawio mknod };
auditallow recovery self:capability { sys_rawio mknod };