recovery: fix denials during factory reset

Addresses these denials when wiping data on sailfish: avc: denied { open } for pid=488 comm="mke2fs_static" path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0 tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1 avc: denied { search } for pid=488 comm="mke2fs_static" name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1 avc: denied { read } for pid=488 comm="mke2fs_static" name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1 Test: Wipe data/factory reset -> no selinux denials Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc
2017-10-26 10:29:52 -07:00 · 2017-10-26 10:29:52 -07:00 · 7e5c2883f3
commit 7e5c2883f3
parent 71b19aa601
1 changed files with 6 additions and 0 deletions
--- a/public/recovery.te
+++ b/public/recovery.te
@ -52,6 +52,9 @@ recovery_only(`
  # Write to /proc/sys/vm/drop_caches
  allow recovery proc_drop_caches:file w_file_perms;

+  # Read /proc/swaps
+  allow recovery proc_swaps:file r_file_perms;
+
  # Read kernel config through libvintf for OTA matching
  allow recovery config_gz:file { open read getattr };

@ -66,6 +69,9 @@ recovery_only(`

  allow recovery sysfs_batteryinfo:file r_file_perms;

+  # Read /sysfs/fs/ext4/features
+  r_dir_file(recovery, sysfs_fs_ext4_features)
+
  # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
  # control backlight brightness.
  allow recovery sysfs_leds:dir r_dir_perms;