Allow recovery to create device nodes and modify rootfs
tilapia's OTA code for updating the radio image needs to create files on rootfs and create a character device in /dev. Add an exception for recovery the the various neverallow rules blocking this behavior. Bug: 18281224 Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e
This commit is contained in:
Nick Kralevich
parent
2d1650f407
commit
0055ea904a
1 changed files with 2 additions and 2 deletions
|
|
@ -255,7 +255,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b
|
|||
# Don't allow raw read/write/open access to generic devices.
|
||||
# Rather force a relabel to a more specific type.
|
||||
# ueventd is exempt from this, as its managing these devices.
|
||||
neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
|
||||
neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };
|
||||
|
||||
# Limit what domains can mount filesystems or change their mount flags.
|
||||
# sdcard_type / vfat is exempt as a larger set of domains need
|
||||
|
|
@ -290,7 +290,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
|
|||
{ create write setattr relabelfrom relabelto append unlink link rename };
|
||||
|
||||
# Nothing should be writing to files in the rootfs.
|
||||
neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
|
||||
|
||||
# Restrict context mounts to specific types marked with
|
||||
# the contextmount_type attribute.
|
||||
|
|
|
|||
Loading…
Reference in a new issue