From 660d81b67684b1632e8141bcca38c49e33ac94ca Mon Sep 17 00:00:00 2001
From: xiaohuin <quic_xiaohuin@quicinc.com>
Date: Thu, 3 Jun 2021 16:34:58 +0800
Subject: [PATCH] sepolicy: allow recovery to operate devpts and kmsg

Fix recovery hang when factory reset.

1. Recovery needs devpts permission to call liblogwrap to operate child_ptty for e2fsck
avc:  denied  { read write } scontext=u:r:recovery:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
2. Recovery needs kmsg_device permission to redirect logs from e2fsck to kmsg
avc:  denied  { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0

Bug: 189805577
Test: Manual. Erase all data(factory reset)
Change-Id: I86ad2109c5199c897462be8b9f1c1cb3d78bc294
---
 public/recovery.te | 4 ++++
 1 file changed, 4 insertions(+)
 mode change 100644 => 100755 public/recovery.te

diff --git a/public/recovery.te b/public/recovery.te
old mode 100644
new mode 100755
index 364988887..33658e86f
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -133,6 +133,10 @@ recovery_only(`
 
   # Allow mounting /metadata for writing update states
   allow recovery metadata_file:dir { getattr mounton };
+
+  # Recovery uses liblogwrap to write fsck logs to kmsg, liblogwrap requires devpts.
+  allow recovery devpts:chr_file rw_file_perms;
+  allow recovery kmsg_device:chr_file { getattr w_file_perms };
 ')
 
 ###