Skip to content
Snippets Groups Projects
Commit 8b7ca455 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Refine recovery domain. 

Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
parent 90cb59fd
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 5 additions and 1 deletion
recovery.te
+ 5
1
View file @ 8b7ca455
...@@ -10,7 +10,7 @@ recovery_only(` ...@@ -10,7 +10,7 @@ recovery_only(`
allow recovery rootfs:file entrypoint; allow recovery rootfs:file entrypoint;
permissive_or_unconfined(recovery) permissive_or_unconfined(recovery)
allow recovery self:capability { chown dac_override fowner fsetid sys_admin }; allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config };
# Set security contexts on files that are not known to the loaded policy. # Set security contexts on files that are not known to the loaded policy.
allow recovery self:capability2 mac_admin; allow recovery self:capability2 mac_admin;
...@@ -40,6 +40,7 @@ recovery_only(` ...@@ -40,6 +40,7 @@ recovery_only(`
allow recovery graphics_device:dir r_dir_perms; allow recovery graphics_device:dir r_dir_perms;
allow recovery input_device:dir r_dir_perms; allow recovery input_device:dir r_dir_perms;
allow recovery input_device:chr_file r_file_perms; allow recovery input_device:chr_file r_file_perms;
allow recovery tty_device:chr_file rw_file_perms;
# Create /tmp/recovery.log and execute /tmp/update_binary. # Create /tmp/recovery.log and execute /tmp/update_binary.
allow recovery tmpfs:file { create_file_perms x_file_perms }; allow recovery tmpfs:file { create_file_perms x_file_perms };
...@@ -57,5 +58,8 @@ recovery_only(` ...@@ -57,5 +58,8 @@ recovery_only(`
allow recovery self:process setfscreate; allow recovery self:process setfscreate;
wakelock_use(recovery) wakelock_use(recovery)
# This line seems suspect, as it shouldn't really need to
# set scheduling parameters for a kernel domain task.
allow recovery kernel:process setsched; allow recovery kernel:process setsched;
') ')
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment