From 87dd195b783ffa9fef0527ec79254886df0fa4df Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 11 Dec 2017 09:22:01 -0800
Subject: [PATCH] Restore recovery's ability to format cache and preserve logs

Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.

[ 2918.409108] type=1400 audit(2327427.540:159): avc:  denied
{ search } for  pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied

[   54.035867] type=1400 audit(59206654.526:12): avc:  denied  { chown }
for  pid=330 comm="recovery" capability=0  scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a

Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
---
 public/domain.te   |  2 +-
 public/recovery.te | 15 ++++++++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index ffbb54d68..eb02021fd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -239,7 +239,7 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
 neverallowxperm * devpts:chr_file ioctl TIOCSTI;
 
 # Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit device node creation to these whitelisted domains.
 neverallow {
diff --git a/public/recovery.te b/public/recovery.te
index f6ad47fef..05cc195e1 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,7 +12,15 @@ recovery_only(`
   # Recovery can only use HALs in passthrough mode
   passthrough_hal_client_domain(recovery, hal_bootctl)
 
-  allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
+  allow recovery self:global_capability_class_set {
+    chown
+    dac_override
+    fowner
+    setuid
+    setgid
+    sys_admin
+    sys_tty_config
+  };
 
   # Run helpers from / or /system without changing domain.
   r_dir_file(recovery, rootfs)
@@ -26,6 +34,11 @@ recovery_only(`
   allow recovery unlabeled:filesystem ~relabelto;
   allow recovery contextmount_type:filesystem relabelto;
 
+  # We may be asked to set an SELinux label for a type not known to the
+  # currently loaded policy. Allow it.
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
   # Get file contexts
   allow recovery file_contexts_file:file r_file_perms;
 
-- 
GitLab