Skip to content
Snippets Groups Projects
Commit 1095d694 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Address recovery denials. 


[  265.263738] type=1400 audit(17091747.819:4): avc:  denied  { write } for  pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[  265.293154] type=1400 audit(17091747.849:5): avc:  denied  { execute } for  pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[  265.299479] type=1400 audit(17091747.859:6): avc:  denied  { setgid } for  pid=177 comm="recovery" capability=6  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[  265.299511] type=1400 audit(17091747.859:7): avc:  denied  { read write } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299531] type=1400 audit(17091747.859:8): avc:  denied  { open } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299863] type=1400 audit(17091747.859:9): avc:  denied  { setuid } for  pid=177 comm="recovery" capability=7  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 97a2cfdf
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 9 additions and 2 deletions
recovery.te
+ 9
2
View file @ 1095d694
...@@ -7,10 +7,10 @@ type recovery, domain; ...@@ -7,10 +7,10 @@ type recovery, domain;
# But the allow rules are only included in the recovery policy. # But the allow rules are only included in the recovery policy.
# Otherwise recovery is only allowed the domain rules. # Otherwise recovery is only allowed the domain rules.
recovery_only(` recovery_only(`
allow recovery rootfs:file entrypoint; allow recovery rootfs:file { entrypoint execute };
permissive_or_unconfined(recovery) permissive_or_unconfined(recovery)
allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config }; allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy. # Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin; allow recovery self:capability2 mac_admin;
...@@ -40,6 +40,13 @@ recovery_only(` ...@@ -40,6 +40,13 @@ recovery_only(`
# TODO: create more specific label? # TODO: create more specific label?
allow recovery proc:file w_file_perms; allow recovery proc:file w_file_perms;
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
allow recovery sysfs:file w_file_perms;
# Access /dev/android_adb.
allow recovery adb_device:chr_file rw_file_perms;
# Required to e.g. wipe userdata/cache. # Required to e.g. wipe userdata/cache.
allow recovery device:dir r_dir_perms; allow recovery device:dir r_dir_perms;
allow recovery block_device:dir r_dir_perms; allow recovery block_device:dir r_dir_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment