c960596cc3
Define an explicit label for /proc/sys/vm/drop_caches and grant to
the various people who need it, including vold which uses it when
performing storage benchmarks.
Also let vold create new directories under it's private storage area
where the benchmarks will be carried out. Mirror the definition of
the private storage area on expanded media.
avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0
Bug: 21172095
Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
26 lines
944 B
Text
26 lines
944 B
Text
# service flash_recovery in init.rc
|
|
type install_recovery, domain;
|
|
type install_recovery_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(install_recovery)
|
|
|
|
allow install_recovery self:capability dac_override;
|
|
|
|
# /system/bin/install-recovery.sh is a shell script.
|
|
# Needs to execute /system/bin/sh
|
|
allow install_recovery shell_exec:file rx_file_perms;
|
|
|
|
# Execute /system/bin/applypatch
|
|
allow install_recovery system_file:file rx_file_perms;
|
|
|
|
# Update the recovery block device based off a diff of the boot block device
|
|
allow install_recovery block_device:dir search;
|
|
allow install_recovery boot_block_device:blk_file r_file_perms;
|
|
allow install_recovery recovery_block_device:blk_file rw_file_perms;
|
|
|
|
# Create and delete /cache/saved.file
|
|
allow install_recovery cache_file:dir rw_dir_perms;
|
|
allow install_recovery cache_file:file create_file_perms;
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
allow install_recovery proc_drop_caches:file w_file_perms;
|