tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "sepolicy: remove block_device access from install_recovery"

Browse source
This commit is contained in:
Nick Kralevich 2015-02-24 22:28:00 +00:00 committed by Gerrit Code Review
commit f70fcbd878
2 changed files with 1 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
domain.te
View file

@ -257,7 +257,7 @@ neverallow domain init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
# Don't allow raw read/write/open access to generic devices.
# Rather force a relabel to a more specific type.

4
install_recovery.te
View file

@ -14,11 +14,7 @@ allow install_recovery shell_exec:file rx_file_perms;
allow install_recovery system_file:file rx_file_perms;
# Update the recovery block device
# TODO: Limit this to only recovery block device when we
# create an appropriate label for it.
allow install_recovery block_device:dir search;
allow install_recovery block_device:blk_file rw_file_perms;
auditallow install_recovery block_device:blk_file rw_file_perms;
allow install_recovery recovery_block_device:blk_file rw_file_perms;
# Create and delete /cache/saved.file