am 0055ea90: Allow recovery to create device nodes and modify rootfs

* commit '0055ea90': Allow recovery to create device nodes and modify rootfs

am 0055ea90: Allow recovery to create device nodes and modify rootfs
7cd346a7 · Nick Kralevich · Android Git Automerger · 7adc8cfe · 0055ea90 · 7cd346a7
Commit 7cd346a7 authored Nov 7, 2014 by Nick Kralevich Committed by Android Git Automerger Nov 7, 2014
--- a/domain.te
+++ b/domain.te
@@ -255,7 +255,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };

 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -290,7 +290,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };

 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.