From 8b7ca455a6789653e73729453bbb3169954d9994 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 7 Jun 2014 11:48:35 -0700
Subject: [PATCH] Refine recovery domain.

Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
---
 recovery.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/recovery.te b/recovery.te
index 951c49824..479f26031 100644
--- a/recovery.te
+++ b/recovery.te
@@ -10,7 +10,7 @@ recovery_only(`
   allow recovery rootfs:file entrypoint;
   permissive_or_unconfined(recovery)
 
-  allow recovery self:capability { chown dac_override fowner fsetid sys_admin };
+  allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config };
 
   # Set security contexts on files that are not known to the loaded policy.
   allow recovery self:capability2 mac_admin;
@@ -40,6 +40,7 @@ recovery_only(`
   allow recovery graphics_device:dir r_dir_perms;
   allow recovery input_device:dir r_dir_perms;
   allow recovery input_device:chr_file r_file_perms;
+  allow recovery tty_device:chr_file rw_file_perms;
 
   # Create /tmp/recovery.log and execute /tmp/update_binary.
   allow recovery tmpfs:file { create_file_perms x_file_perms };
@@ -57,5 +58,8 @@ recovery_only(`
   allow recovery self:process setfscreate;
 
   wakelock_use(recovery)
+
+  # This line seems suspect, as it shouldn't really need to
+  # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
 ')
-- 
GitLab