From 03dbf07a47627a8615e5ac9f3d8834dd70af8a06 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 3 Jun 2014 16:16:21 -0700
Subject: [PATCH] More recovery rules

Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.

Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.

Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
---
 recovery.te | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/recovery.te b/recovery.te
index 3efae4ec6..2d400cd41 100644
--- a/recovery.te
+++ b/recovery.te
@@ -10,10 +10,13 @@ recovery_only(`
   allow recovery rootfs:file entrypoint;
   permissive_or_unconfined(recovery)
 
+  allow recovery self:capability { chown dac_override fowner fsetid sys_admin };
+
   # Set security contexts on files that are not known to the loaded policy.
   allow recovery self:capability2 mac_admin;
 
   # Mount filesystems.
+  allow recovery rootfs:dir mounton;
   allow recovery fs_type:filesystem *;
   allow recovery unlabeled:filesystem *;
 
@@ -22,15 +25,32 @@ recovery_only(`
   allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
 
   # Required to e.g. wipe userdata/cache.
+  allow recovery block_device:dir r_dir_perms;
   allow recovery dev_type:blk_file rw_file_perms;
 
   # GUI
   allow recovery self:process execmem;
   allow recovery ashmem_device:chr_file execute;
+  allow recovery graphics_device:chr_file rw_file_perms;
+  allow recovery graphics_device:dir r_dir_perms;
+  allow recovery input_device:dir r_dir_perms;
+  allow recovery input_device:chr_file r_file_perms;
+
+  # Create /tmp/recovery.log and execute /tmp/update_binary.
+  allow recovery tmpfs:file { create_file_perms x_file_perms };
+  allow recovery tmpfs:dir create_dir_perms;
 
-  # Execute /tmp/update_binary.
-  allow recovery tmpfs:file rx_file_perms;
+  # Manage files on /cache
+  allow recovery cache_file:dir create_dir_perms;
+  allow recovery cache_file:file create_file_perms;
+
+  # Reboot the device
+  allow recovery powerctl_prop:property_service set;
+  unix_socket_connect(recovery, property, init)
 
   # Use setfscreatecon() to label files for OTA updates.
   allow recovery self:process setfscreate;
+
+  wakelock_use(recovery)
+  allow recovery kernel:process setsched;
 ')
-- 
GitLab