3f40d4f4b1
Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
22 lines
775 B
Text
22 lines
775 B
Text
# recovery console (used in recovery init.rc for /sbin/recovery)
|
|
type recovery, domain;
|
|
allow recovery rootfs:file entrypoint;
|
|
unconfined_domain(recovery)
|
|
relabelto_domain(recovery)
|
|
|
|
allow recovery self:capability2 mac_admin;
|
|
|
|
allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
|
|
allow recovery unlabeled:filesystem mount;
|
|
allow recovery fs_type:filesystem *;
|
|
|
|
# Required to e.g. wipe userdata/cache.
|
|
allow recovery dev_type:blk_file rw_file_perms;
|
|
|
|
allow recovery self:process execmem;
|
|
allow recovery ashmem_device:chr_file execute;
|
|
allow recovery tmpfs:file rx_file_perms;
|
|
|
|
## TODO: Investigate whether it is safe to remove these
|
|
allow recovery self:capability { sys_rawio mknod };
|
|
auditallow recovery self:capability { sys_rawio mknod };
|