From 9f6af083e8a31c9b5a9f9ac21885dfc3c0dc14b2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 2 Jul 2014 16:18:16 -0700
Subject: [PATCH] New domain "install_recovery"

Create a new domain for the one-shot init service flash_recovery.

This domain is initially in permissive_or_unconfined() for
testing. Any SELinux denials won't be enforced for now.

Change-Id: I7146dc154a5c78b6f3b4b6fb5d5855a05a30bfd8
---
 domain.te           |  2 +-
 file_contexts       |  2 ++
 install_recovery.te | 31 +++++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 install_recovery.te

diff --git a/domain.te b/domain.te
index bd8ff25a9..0028a17a8 100644
--- a/domain.te
+++ b/domain.te
@@ -243,7 +243,7 @@ neverallow domain init:binder call;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/file_contexts b/file_contexts
index 7db698fa8..5cc65972e 100644
--- a/file_contexts
+++ b/file_contexts
@@ -159,6 +159,8 @@
 /system/bin/uncrypt     u:object_r:uncrypt_exec:s0
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+
 #############################
 # Vendor files
 #
diff --git a/install_recovery.te b/install_recovery.te
new file mode 100644
index 000000000..46a7b978d
--- /dev/null
+++ b/install_recovery.te
@@ -0,0 +1,31 @@
+# service flash_recovery in init.rc
+type install_recovery, domain;
+type install_recovery_exec, exec_type, file_type;
+
+permissive_or_unconfined(install_recovery)
+
+init_daemon_domain(install_recovery)
+
+allow install_recovery self:capability dac_override;
+
+# /system/bin/install-recovery.sh is a shell script.
+# Needs to execute /system/bin/sh
+allow install_recovery shell_exec:file rx_file_perms;
+
+# Execute /system/bin/applypatch
+allow install_recovery system_file:file rx_file_perms;
+
+# Update the recovery block device
+# TODO: Limit this to only recovery block device when we
+# create an appropriate label for it.
+allow install_recovery block_device:dir search;
+allow install_recovery block_device:blk_file rw_file_perms;
+
+# Create and delete /cache/saved.file
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+# TODO: create a specific label for this file instead of allowing
+# write for all /proc files.
+allow install_recovery proc:file w_file_perms;
-- 
GitLab