Recovery can use HALs only in passthrough mode

This adjusts the grants for recovery to make it explicit that recovery
can use the Boot Control HAL only in passthrough mode.

Test: Device boots up, no new denials
Test: Reboot into recovery, sideload OTA update succeeds
Test: Apply OTA update via update_engine:
      1. make dist
      2. Ensure device has network connectivity
      3. ota_call.py -s <serial here> out/dist/sailfish-ota-*.zip
Bug: 34170079

Change-Id: I0888816eca4d77939a55a7816e6cae9176713ee5
This commit is contained in:
Alex Klyubin 2017-03-20 13:11:33 -07:00
parent 51a2238c9e
commit 00a03d424f
2 changed files with 18 additions and 1 deletions

View file

@ -9,7 +9,8 @@ type recovery, domain, domain_deprecated;
recovery_only(`
# Allow recovery to perform an update as update_engine would do.
typeattribute recovery update_engine_common;
hal_client_domain(recovery, hal_bootctl)
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };

View file

@ -203,6 +203,22 @@ typeattribute $1 $2;
allow $2 system_file:dir r_dir_perms;
')
#####################################
# passthrough_hal_client_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to be a
# client of a passthrough HAL of the specified type.
#
# For example, make some_domain a client of passthrough Foo HAL:
# passthrough_hal_client_domain(some_domain, hal_foo)
#
define(`passthrough_hal_client_domain', `
typeattribute $1 halclientdomain;
typeattribute $1 $2_client;
typeattribute $1 $2;
# Find passthrough HAL implementations
allow $2 system_file:dir r_dir_perms;
')
#####################################
# unix_socket_connect(clientdomain, socket, serverdomain)
# Allow a local socket connection from clientdomain via