From 1095d6944c6dc206c8656a34712f15820cd18f74 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 19 Jun 2014 12:15:22 -0400
Subject: [PATCH] Address recovery denials.

[  265.263738] type=1400 audit(17091747.819:4): avc:  denied  { write } for  pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[  265.293154] type=1400 audit(17091747.849:5): avc:  denied  { execute } for  pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[  265.299479] type=1400 audit(17091747.859:6): avc:  denied  { setgid } for  pid=177 comm="recovery" capability=6  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[  265.299511] type=1400 audit(17091747.859:7): avc:  denied  { read write } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299531] type=1400 audit(17091747.859:8): avc:  denied  { open } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299863] type=1400 audit(17091747.859:9): avc:  denied  { setuid } for  pid=177 comm="recovery" capability=7  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 recovery.te | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/recovery.te b/recovery.te
index c6c5417df..e98cf4482 100644
--- a/recovery.te
+++ b/recovery.te
@@ -7,10 +7,10 @@ type recovery, domain;
 # But the allow rules are only included in the recovery policy.
 # Otherwise recovery is only allowed the domain rules.
 recovery_only(`
-  allow recovery rootfs:file entrypoint;
+  allow recovery rootfs:file { entrypoint execute };
   permissive_or_unconfined(recovery)
 
-  allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config };
+  allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
 
   # Set security contexts on files that are not known to the loaded policy.
   allow recovery self:capability2 mac_admin;
@@ -40,6 +40,13 @@ recovery_only(`
   # TODO: create more specific label?
   allow recovery proc:file w_file_perms;
 
+  # Write to /sys/class/android_usb/android0/enable.
+  # TODO: create more specific label?
+  allow recovery sysfs:file w_file_perms;
+
+  # Access /dev/android_adb.
+  allow recovery adb_device:chr_file rw_file_perms;
+
   # Required to e.g. wipe userdata/cache.
   allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
-- 
GitLab