Restore recovery's ability to format cache and preserve logs
Commit b8b4f5d6
'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.
[ 2918.409108] type=1400 audit(2327427.540:159): avc: denied
{ search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied
[ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown }
for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a
Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
This commit is contained in:
parent
3dbe6f25d1
commit
87dd195b78
2 changed files with 15 additions and 2 deletions
|
@ -239,7 +239,7 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
|
||||||
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
|
||||||
|
|
||||||
# Do not allow any domain other than init to create unlabeled files.
|
# Do not allow any domain other than init to create unlabeled files.
|
||||||
neverallow { domain -init } unlabeled:dir_file_class_set create;
|
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
|
||||||
|
|
||||||
# Limit device node creation to these whitelisted domains.
|
# Limit device node creation to these whitelisted domains.
|
||||||
neverallow {
|
neverallow {
|
||||||
|
|
|
@ -12,7 +12,15 @@ recovery_only(`
|
||||||
# Recovery can only use HALs in passthrough mode
|
# Recovery can only use HALs in passthrough mode
|
||||||
passthrough_hal_client_domain(recovery, hal_bootctl)
|
passthrough_hal_client_domain(recovery, hal_bootctl)
|
||||||
|
|
||||||
allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
|
allow recovery self:global_capability_class_set {
|
||||||
|
chown
|
||||||
|
dac_override
|
||||||
|
fowner
|
||||||
|
setuid
|
||||||
|
setgid
|
||||||
|
sys_admin
|
||||||
|
sys_tty_config
|
||||||
|
};
|
||||||
|
|
||||||
# Run helpers from / or /system without changing domain.
|
# Run helpers from / or /system without changing domain.
|
||||||
r_dir_file(recovery, rootfs)
|
r_dir_file(recovery, rootfs)
|
||||||
|
@ -26,6 +34,11 @@ recovery_only(`
|
||||||
allow recovery unlabeled:filesystem ~relabelto;
|
allow recovery unlabeled:filesystem ~relabelto;
|
||||||
allow recovery contextmount_type:filesystem relabelto;
|
allow recovery contextmount_type:filesystem relabelto;
|
||||||
|
|
||||||
|
# We may be asked to set an SELinux label for a type not known to the
|
||||||
|
# currently loaded policy. Allow it.
|
||||||
|
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
|
||||||
|
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
|
||||||
|
|
||||||
# Get file contexts
|
# Get file contexts
|
||||||
allow recovery file_contexts_file:file r_file_perms;
|
allow recovery file_contexts_file:file r_file_perms;
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue