Commit graph

40 commits

Author SHA1 Message Date
Nick Kralevich
303e139a5c am b76966d6: recovery: remove auditallow for exec_type:dir writes
* commit 'b76966d65d4e59cbb20b5a78bc583a9907a495da':
  recovery: remove auditallow for exec_type:dir writes
2015-03-05 23:13:44 +00:00
Nick Kralevich
b76966d65d recovery: remove auditallow for exec_type:dir writes
With the move to block based OTAs, we're never going to fix
this bug. Remove the auditallow statement to avoid SELinux log
spam.

Bug: 15575013
Change-Id: I7864e87202b1b70020a8bdf3ef327a2cf4b6bfbd
2015-03-05 14:59:53 -08:00
Patrick Tjin
899fb42c3b am bd050a8e: Allow recovery to access kmsg for log retrieval
* commit 'bd050a8ec32e9e7b0ac7cbee9ba7cf224f69acc9':
  Allow recovery to access kmsg for log retrieval
2014-12-10 22:21:13 +00:00
Patrick Tjin
bd050a8ec3 Allow recovery to access kmsg for log retrieval
Bug: 18642766

Change-Id: I97d6ab0b76b69d99dcc1928232c8961437e1e68c
Signed-off-by: Patrick Tjin <pattjin@google.com>
2014-12-09 12:43:26 -08:00
Nick Kralevich
a17a266e7e recovery.te: add /data neverallow rules
Recovery should never be accessing files from /data.
In particular, /data may be encrypted, and the files within
/data will be inaccessible to recovery, because recovery doesn't
know the decryption key.

Enforce write/execute restrictions on recovery. We can't tighten
it up further because domain.te contains some /data read-only
access rules, which shouldn't apply to recovery but do.

Create neverallow_macros, used for storing permission macros
useful for neverallow rules. Standardize recovery.te and
property_data_file on the new macros.

Change-Id: I02346ab924fe2fdb2edc7659cb68c4f8dffa1e88
2014-11-05 15:30:41 -08:00
Nick Kralevich
5fad3d98de recovery: allow changing unlabeled symbolic links
Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

(cherrypicked from commit 683ac49d9d)

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
2014-10-23 12:59:12 -07:00
Nick Kralevich
683ac49d9d recovery: allow changing unlabeled symbolic links
Currently, recovery is allowed write access to the following three
file labels:

* system_file (directories, files, and symbolic links)
* exec_type (directories, files, and symbolic links)
* unlabeled (directory and files)

system_file is the default label on all files in /system. exec_type
is the attribute used to mark executables on /system.

The third file type, "unlabeled", refers to filesystem objects where
the label hasn't been set, or a label is set but isn't defined by the
currently loaded policy.

The current policy only allows unlabeled files or directories to
be modified. Symbolic links were accidentally excluded. This causes
problems when trying to fix up labels/permissions on unlabeled
symbolic links.

Allow unlabeled symbolic link modifications.

Bug: 18079773
Change-Id: I8e5c33602cdc38ec9a95b4e83f9ccbb06fe9da7c
2014-10-23 12:12:58 -07:00
Ed Heyl
7563a6f1fb reconcile aosp (a7c04dcd74) after branching. Please do not merge.
Change-Id: I35be7a7df73325fba921b8a354659b2b2a3e06e7
2014-07-14 23:31:01 -07:00
Ed Heyl
e9c90bddce reconcile aosp (4da3bb1481) after branching. Please do not merge.
Change-Id: Idcd252e39b2c4829201c93b6c99cf368adcb405e
2014-07-14 23:29:21 -07:00
Doug Zongker
9f88bc554d support newer-style adbd interface in recovery
Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: I714ccb34f60d1413d2b184dae9b561cd06bc6b45
2014-07-10 15:58:17 -07:00
Nick Kralevich
a7c04dcd74 Remove domain:process from unconfined
Prune down unconfined so it doesn't allow process access
to all other domains. Use domain_trans() for transitions to
seclabeled domains.

Change-Id: I8e88a49e588b6b911e1f7172279455838a06091d
2014-07-10 13:54:20 -07:00
Doug Zongker
bad4e91dd2 support newer-style adbd interface in recovery
Support opening the ffs-based interface for adbd in recovery.  (Copied
from adbd.te.)

Bug: 16183878
Change-Id: Ib80e5b910d9ad4252cb80e7ce2f85e478cd94816
2014-07-10 13:40:25 -07:00
Stephen Smalley
374b2a198a Rename sdcard_internal/external types.
Rename sdcard_internal/external types to fuse and vfat
respectively to make it clear that they are assigned to any
fuse or vfat filesystem by default (absent a context= mount option)
and do not necessarily represent the SDcard.

The sdcard_type attribute is still assigned to both types and
can still be used in allow rules to permit access to either the
internal or external SDcard.

Define type aliases for the old names to preserve compatibility
on policy reload and for device-specific policies that may not yet
be updated.

Change-Id: I8d91a8c4c1342b94e4f1bb62ca7ffd2ca4b06ba1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-07-08 19:27:40 +00:00
Nick Kralevich
e9d97b744e recovery: allow read access to fuse filesystem
adb sideload depends on the ability to access the fuse
directory. Flipping recovery into enforcing started triggering
the following denial:

  type=1400 audit(17964905.699:7): avc:  denied  { search } for  pid=132 comm="recovery" name="/" dev="fuse" ino=1 scontext=u:r:recovery:s0 tcontext=u:object_r:sdcard_internal:s0 tclass=dir

Change-Id: I27ee0295fa2e2d0449bfab4f95bfbc076e92cf59
2014-07-08 10:52:05 -07:00
Nick Kralevich
c2ba5ed908 recovery: start enforcing SELinux rules
Start enforcing SELinux rules for recovery. I've been monitoring
denials, and I haven't seen anything which would indicate a problem.
We can always roll this back if something goes wrong.

Change-Id: I7d3a147f8b9000bf8181d2aa32520f15f291a6f3
2014-07-07 22:05:28 +00:00
Nick Kralevich
558710cdcc recovery: allow relabelto unlabeled and other unlabeled rules
The recovery script may ask to label a file with a label not
known to the currently loaded policy. Allow it.

Addresses the following denials:

  avc:  denied  { relabelto } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file
  avc:  denied  { setattr } for  pid=143 comm="update_binary" name="vdc" dev="mmcblk0p25" ino=212 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=file

Change-Id: Iafcc7b0b3aaea5a272adb1264233978365648f94
2014-07-07 13:23:30 -07:00
Doug Zongker
93d849b674 recovery: allow creating and reading fuse filesystems
The new sideloading mechanism in recovery needs to create a fuse
filesystem and read files from it.

Change-Id: I22e1f7175baf401d2b75c4be6673ae4b75a0ccbf
2014-07-02 10:28:20 -07:00
Stephen Smalley
fee49159e7 Align SELinux property policy with init property_perms.
Introduce a net_radio_prop type for net. properties that can be
set by radio or system.
Introduce a system_radio_prop type for sys. properties that can be
set by radio or system.
Introduce a dhcp_prop type for properties that can be set by dhcp or system.
Drop the rild_prop vs radio_prop distinction; this was an early
experiment to see if we could separate properties settable by rild
versus other radio UID processes but it did not pan out.

Remove the ability to set properties from unconfineddomain.
Allow init to set any property.  Allow recovery to set ctl_default_prop
to restart adbd.

Change-Id: I5ccafcb31ec4004dfefcec8718907f6b6f3e0dfd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-23 15:45:55 -04:00
Stephen Smalley
f3c3a1aa33 Remove execute_no_trans from unconfineddomain.
execute_no_trans controls whether a domain can execve a program
without switching to another domain.  Exclude this permission from
unconfineddomain, add it back to init, init_shell, and recovery for
files in / and /system, and to kernel for files in / (to permit
execution of init prior to setcon).  Prohibit it otherwise for the
kernel domain via neverallow.  This ensures that if a kernel task
attempts to execute a kernel usermodehelper for which no domain transition
is defined, the exec will fail.

Change-Id: Ie7b2349923672dd4f5faf7c068a6e5994fd0e4e3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 22:38:28 +00:00
Stephen Smalley
1095d6944c Address recovery denials.
[  265.263738] type=1400 audit(17091747.819:4): avc:  denied  { write } for  pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[  265.293154] type=1400 audit(17091747.849:5): avc:  denied  { execute } for  pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[  265.299479] type=1400 audit(17091747.859:6): avc:  denied  { setgid } for  pid=177 comm="recovery" capability=6  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[  265.299511] type=1400 audit(17091747.859:7): avc:  denied  { read write } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299531] type=1400 audit(17091747.859:8): avc:  denied  { open } for  pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[  265.299863] type=1400 audit(17091747.859:9): avc:  denied  { setuid } for  pid=177 comm="recovery" capability=7  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-19 12:23:03 -04:00
Stephen Smalley
75e2ef9260 Restrict use of context= mount options.
Prior to this change, the init and recovery domains were
allowed unrestricted use of context= mount options to force
all files within a given filesystem to be treated as having a
security context specified at mount time.  The context= mount
option can be used in device-specific fstab.<board> files
to assign a context to filesystems that do not support labeling
such as vfat where the default label of sdcard_external is not
appropriate (e.g. /firmware on hammerhead).

Restrict the use of context= mount options to types marked with the
contextmount_type attribute, and then remove write access from
such types from unconfineddomain and prohibit write access to such
types via neverallow.  This ensures that the no write to /system
restriction cannot be bypassed via context= mount.

Change-Id: I4e773fadc9e11328d13a0acec164124ad6e840c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-16 13:25:07 -04:00
Nick Kralevich
ff409bb40a recovery: Allow exec_type on dirs, read for /dev
When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:

  set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
  set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");

which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.

Allow this behavior for now, even though it's obviously a bug.

Also, allow recovery to read through the /dev directory.

Addresses the following denials:
  avc:  denied  { read } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { open } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { relabelto } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { getattr } for  pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { setattr } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { relabelfrom } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir

Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
2014-06-15 09:40:12 -07:00
Nick Kralevich
f4e6902850 recovery: don't use single quote
single quotes make the m4 parser think it's at the end of
a block, and generates the following compile time warning:

  external/sepolicy/recovery.te:9:WARNING 'unrecognized character' at token ''' on line 7720:

Change-Id: I2502f16f0d9ec7528ec0fc2ee65ad65635d0101b
2014-06-09 20:36:59 -07:00
Nick Kralevich
8b7ca455a6 Refine recovery domain.
Addresses the following denials:

    avc:  denied  { read write } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { open } for  pid=132 comm="recovery" name="tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { ioctl } for  pid=132 comm="recovery" path="/dev/tty0" dev="tmpfs" ino=5730 scontext=u:r:recovery:s0 tcontext=u:object_r:tty_device:s0 tclass=chr_file
    avc:  denied  { sys_tty_config } for  pid=132 comm="recovery" capability=26  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
    avc:  denied  { setfcap } for  pid=142 comm="update_binary" capability=31  scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability

Change-Id: I5219303fbd5afe8f74919db153af6525c0b54154
2014-06-07 11:53:54 -07:00
Nick Kralevich
a03d761f19 refine recovery domain.
Make sure we have all necessary rules to modify system_file and
exec_type.

Allow writing to /proc/sys/vm/drop_caches and other proc
files.

Addresses denials like:

  avc:  denied  { getattr } for  pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { read } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { open } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { remove_name } for  pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { add_name } for  pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { write } for  pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file

recovery is still in permissive_or_unconfined(), so no rules are
being enforced.

Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
2014-06-04 23:43:03 -07:00
Nick Kralevich
03dbf07a47 More recovery rules
Better refine the rules surrounding the recovery SELinux
domain, and get rid of dmesg log spam.

Recovery is still in permissive_or_unconfined(), so no expected
change in behavior.

Change-Id: Ie5a86f8f5d7581547879c476ebcfdb8c0876263c
2014-06-04 11:09:15 -07:00
Nick Kralevich
4203981e8b recovery: enable permissive_or_unconfined
Switch from using unconfined_domain() to permissive_or_unconfined().
For user builds, or builds with FORCE_PERMISSIVE_TO_UNCONFINED=true,
this is a no-op. For userdebug / eng builds, this will allow us to
collect denials from /proc/last_kmsg.

Change-Id: I41e1a206b2a3b0eee34539bfebfc5deee9e18a42
2014-05-31 08:10:30 -07:00
Stephen Smalley
e60723ab59 Create a separate recovery policy.
Create a separate recovery policy and only include the
recovery domain allow rules in it.

Change-Id: I444107f9821eabf4164ba07a44d03bd71e719989
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-30 12:53:32 -04:00
Stephen Smalley
eb1bbf2632 Clean up kernel, init, and recovery domains.
Narrow the relabelto rules to a more specific type set
for each domain.

Drop mount permissions from the kernel domain since mounting
occurs after switching to the init domain.  This was likely
a residual of when all processes were left in the kernel domain
on a recovery boot due to the missing setcon statement in the
recovery init.rc.

Be consistent with unlabeled filesystems (i.e. filesystems
without any matching fs_use or genfs_contexts entry) so
that we can also unmount them.

Add comments to note the reason for various rules.

Change-Id: I269a1744ed7bf8c6be899494c5dc97847e5a994d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 14:35:55 -04:00
Nick Kralevich
03ce512072 Remove /system write from unconfined
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.

Allow recovery to write to /system. This is needed to apply OTA
images.

Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
2014-05-29 12:04:35 -04:00
Stephen Smalley
356f4be679 Restrict requesting contexts other than policy-defined defaults.
Writing to the /proc/self/attr files (encapsulated by the libselinux
set*con functions) enables a program to request a specific security
context for various operations instead of the policy-defined defaults.
The security context specified using these calls is checked by an
operation-specific permission, e.g. dyntransition for setcon,
transition for setexeccon, create for setfscreatecon or
setsockcreatecon, but the ability to request a context at all
is controlled by a process permission.  Omit these permissions from
domain.te and only add them back where required so that only specific
domains can even request a context other than the default defined by
the policy.

Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-23 13:14:22 -04:00
Stephen Smalley
c2c91bba59 Drop unused rules for raw I/O and mknod.
We added these rules to the recovery domain when we removed them
from unconfined to ensure that we did not break anything. But we
have seen no uses of these rules by the recovery domain.  Tested
wiping userdata and cache from the recovery and performing an
adb sideload of an ota zip file.

Change-Id: I261cb1124130f73e98b87f3e5a31d6d7f521ff11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-14 13:14:54 -04:00
Stephen Smalley
02dac03a8c Drop relabelto_domain() macro and its associated definitions.
This was originally to limit the ability to relabel files to
particular types given the ability of all domains to relabelfrom
unlabeled files.  Since the latter was removed by
Ied84f8b4b1a0896c1b9f7d783b7463ce09d4807b, this no longer serves
any purpose.

Change-Id: Ic41e94437188183f15ed8b3732c6cd5918da3397
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-09 18:30:22 +00:00
Stephen Smalley
3f40d4f4b1 Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.

Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 13:03:38 -05:00
Stephen Smalley
5487ca00d4 Remove several superuser capabilities from unconfined domains.
Remove sys_ptrace and add a neverallow for it.
Remove sys_rawio and mknod, explicitly allow to kernel, init, and recovery,
and add a neverallow for them.
Remove sys_module.  It can be added back where appropriate in device
policy if using a modular kernel.  No neverallow since it is device
specific.

Change-Id: I1a7971db8d247fd53a8f9392de9e46250e91f89b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-12 11:14:16 -05:00
Stephen Smalley
b081cc1e05 Remove mount-related permissions from unconfined domains.
Only allow to specific domains as required, and add a neverallow
to prevent allowing it to other domains not explicitly whitelisted.
sdcard_type is exempted from the neverallow since more domains
require the ability to mount it, including device-specific domains.

Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-11 17:32:31 +00:00
Stephen Smalley
04ee5dfb80 Remove MAC capabilities from unconfined domains.
Linux defines two capabilities for Mandatory Access Control (MAC)
security modules, CAP_MAC_OVERRIDE (override MAC access restrictions)
and CAP_MAC_ADMIN (allow MAC configuration or state changes).
SELinux predates these capabilities and did not originally use them,
but later made use of CAP_MAC_ADMIN as a way to control the ability
to set security context values unknown to the currently loaded
SELinux policy on files.  That facility is used in Linux for e.g.
livecd creation where a file security context that is being set
on a generated filesystem is not known to the build host policy.
Internally, files with such labels are treated as having the unlabeled
security context for permission checking purposes until/unless the
context is later defined through a policy reload.

CAP_MAC_OVERRIDE is never checked by SELinux, so it never needs
to be allowed.  CAP_MAC_ADMIN is only checked if setting an
unknown security context value; the only legitimate use I can see
in Android is the recovery console, where a context may need to be set
on /system that is not defined in the recovery policy.

Remove these capabilities from unconfined domains, allow
mac_admin for the recovery domain, and add neverallow rules.

Change-Id: Ief673e12bc3caf695f3fb67cabe63e68f5f58150
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-30 14:36:57 -05:00
Stephen Smalley
9fe4e7b852 ashmem_device is a character device, not a regular file.
Change-Id: Ie3d73d2c8d5c73e8bd359123f6fd3c006f332323
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 15:33:01 -05:00
Stephen Smalley
9a40702a46 Allow recovery to execute ashmem_device and tmpfs.
Requires execmem and ashmem_device:chr_file execute similar to bootanim
presumably for the display.

Did not see any cache_file execute denials and do not see any
exec of /cache files in the code, only reading/interpreting scripts,
so I removed cache_file rx_file_perms.

Did not see any tmpfs execute denials in /proc/last_kmsg but the
source code appears to extract the update-binary to a tmpfs mount
in /tmp and then exec it.  So I retained that rule.

Tested with adb sideload.

Change-Id: I8ca5f2cd390be1adf063f16e6280cc4cd1833c0e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 14:49:35 -05:00
Stephen Smalley
6d10ca8fb6 Add a domain for the recovery console.
Define a domain for use by the recovery init.rc file for
/sbin/recovery.  Start with a copy of the kernel domain
rules since that is what /sbin/recovery was previously running in,
and then add rules as appropriate.

Change-Id:  Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-13 10:44:51 -05:00