Add a domain for the recovery console.

Define a domain for use by the recovery init.rc file for /sbin/recovery. Start with a copy of the kernel domain rules since that is what /sbin/recovery was previously running in, and then add rules as appropriate. Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 09:45:45 -05:00 · 2014-01-13 09:45:45 -05:00 · 6d10ca8fb6
commit 6d10ca8fb6
parent 06a0d78621
1 changed files with 11 additions and 0 deletions
--- a/recovery.te
+++ b/recovery.te
@ -0,0 +1,11 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+type recovery, domain;
+allow recovery rootfs:file entrypoint;
+unconfined_domain(recovery)
+relabelto_domain(recovery)
+
+allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
+allow recovery unlabeled:filesystem mount;
+
+allow recovery self:process execmem;
+allow recovery cache_file:file rx_file_perms;