549ccf77e3
This permission was created mostly for dumpstate (so it can include recovery files on bugreports when an OTA fails), but it was applied to uncrypt and recovery as well (since it had a wider access before). Grant access to cache_recovery_file where we previously granted access to cache_file. Add auditallow rules to determine if this is really needed. BUG: 25351711 Change-Id: I07745181dbb4f0bde75694ea31b3ab79a4682f18
31 lines
1.2 KiB
Text
31 lines
1.2 KiB
Text
# service flash_recovery in init.rc
|
|
type install_recovery, domain, domain_deprecated;
|
|
type install_recovery_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(install_recovery)
|
|
|
|
allow install_recovery self:capability dac_override;
|
|
|
|
# /system/bin/install-recovery.sh is a shell script.
|
|
# Needs to execute /system/bin/sh
|
|
allow install_recovery shell_exec:file rx_file_perms;
|
|
|
|
# Execute /system/bin/applypatch
|
|
allow install_recovery system_file:file rx_file_perms;
|
|
|
|
allow install_recovery toolbox_exec:file rx_file_perms;
|
|
|
|
# Update the recovery block device based off a diff of the boot block device
|
|
allow install_recovery block_device:dir search;
|
|
allow install_recovery boot_block_device:blk_file r_file_perms;
|
|
allow install_recovery recovery_block_device:blk_file rw_file_perms;
|
|
|
|
# Create and delete /cache/saved.file
|
|
allow install_recovery { cache_file cache_recovery_file }:dir rw_dir_perms;
|
|
allow install_recovery { cache_file cache_recovery_file }:file create_file_perms;
|
|
|
|
auditallow install_recovery cache_recovery_file:dir rw_dir_perms;
|
|
auditallow install_recovery cache_recovery_file:file create_file_perms;
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
allow install_recovery proc_drop_caches:file w_file_perms;
|