Restore recovery's ability to format cache and preserve logs

Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed
many permissions from recovery, a few of which are still required.
Restore these.

[ 2918.409108] type=1400 audit(2327427.540:159): avc:  denied
{ search } for  pid=339 comm="recovery" name="/" dev="mmcblk0p38"
ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0
tclass=dir permissive=0
[ 2586.563071] E:Failed to mount / create /cache/recovery: Permission
denied
[ 2586.780320] E:Can't open /cache/recovery/log: Permission denied
[ 2586.850399] E:Can't open /cache/recovery/last_log: Permission
denied
[ 2586.918979] E:Can't open /cache/recovery/last_install: Permission
denied

[   54.035867] type=1400 audit(59206654.526:12): avc:  denied  { chown }
for  pid=330 comm="recovery" capability=0  scontext=u:r:recovery:s0
tcontext=u:r:recovery:s0 tclass=capability permissive=0a

Bug: 70350029
Test: xunchang to test
Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
This commit is contained in:
Jeff Vander Stoep 2017-12-11 09:22:01 -08:00
parent 3dbe6f25d1
commit 87dd195b78
2 changed files with 15 additions and 2 deletions

View file

@ -239,7 +239,7 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
neverallowxperm * devpts:chr_file ioctl TIOCSTI; neverallowxperm * devpts:chr_file ioctl TIOCSTI;
# Do not allow any domain other than init to create unlabeled files. # Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init } unlabeled:dir_file_class_set create; neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
# Limit device node creation to these whitelisted domains. # Limit device node creation to these whitelisted domains.
neverallow { neverallow {

View file

@ -12,7 +12,15 @@ recovery_only(`
# Recovery can only use HALs in passthrough mode # Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl) passthrough_hal_client_domain(recovery, hal_bootctl)
allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config }; allow recovery self:global_capability_class_set {
chown
dac_override
fowner
setuid
setgid
sys_admin
sys_tty_config
};
# Run helpers from / or /system without changing domain. # Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs) r_dir_file(recovery, rootfs)
@ -26,6 +34,11 @@ recovery_only(`
allow recovery unlabeled:filesystem ~relabelto; allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto; allow recovery contextmount_type:filesystem relabelto;
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
# Get file contexts # Get file contexts
allow recovery file_contexts_file:file r_file_perms; allow recovery file_contexts_file:file r_file_perms;