am f70fcbd8: Merge "sepolicy: remove block_device access from install_recovery"

* commit 'f70fcbd8': sepolicy: remove block_device access from install_recovery

am f70fcbd8: Merge "sepolicy: remove block_device access from install_recovery"
5f6e9303 · Nick Kralevich · Android Git Automerger · 2714e41a · f70fcbd8 · 5f6e9303
Commit 5f6e9303 authored 10 years ago by Nick Kralevich Committed by Android Git Automerger 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -257,7 +257,7 @@ neverallow domain init:binder *;
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

--- a/install_recovery.te
+++ b/install_recovery.te
@@ -14,11 +14,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 allow install_recovery system_file:file rx_file_perms;
 # Update the recovery block device
-# TODO: Limit this to only recovery block device when we
-# create an appropriate label for it.
 allow install_recovery block_device:dir search;
-allow install_recovery block_device:blk_file rw_file_perms;
-auditallow install_recovery block_device:blk_file rw_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 # Create and delete /cache/saved.file