206b1a6c45
Define a specific block device type for system so that we can prevent raw writes to the system partition by anything other than recovery. Define a specific block device type for recovery so that we can prevent raw writes to the recovery partition by anything other than install_recovery or recovery. These types must be assigned to specific block device nodes via device-specific policy. This change merely defines the types, adds allow rules so that nothing will break when the types are assigned, and adds neverallow rules to prevent adding further allow rules on these types. This change does not remove access to the generic block_device type from any domain so nothing should break even on devices without these type assignments. Change-Id: Ie9c1f6d632f6e9e8cbba106f07f6b1979d2a3c4a Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
31 lines
1.1 KiB
Text
31 lines
1.1 KiB
Text
# service flash_recovery in init.rc
|
|
type install_recovery, domain;
|
|
type install_recovery_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(install_recovery)
|
|
|
|
allow install_recovery self:capability dac_override;
|
|
|
|
# /system/bin/install-recovery.sh is a shell script.
|
|
# Needs to execute /system/bin/sh
|
|
allow install_recovery shell_exec:file rx_file_perms;
|
|
|
|
# Execute /system/bin/applypatch
|
|
allow install_recovery system_file:file rx_file_perms;
|
|
|
|
# Update the recovery block device
|
|
# TODO: Limit this to only recovery block device when we
|
|
# create an appropriate label for it.
|
|
allow install_recovery block_device:dir search;
|
|
allow install_recovery block_device:blk_file rw_file_perms;
|
|
auditallow install_recovery block_device:blk_file rw_file_perms;
|
|
allow install_recovery recovery_block_device:blk_file rw_file_perms;
|
|
|
|
# Create and delete /cache/saved.file
|
|
allow install_recovery cache_file:dir rw_dir_perms;
|
|
allow install_recovery cache_file:file create_file_perms;
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
# TODO: create a specific label for this file instead of allowing
|
|
# write for all /proc files.
|
|
allow install_recovery proc:file w_file_perms;
|