diff options
author | Nick Kralevich <nnk@google.com> | 2014-05-20 11:09:16 -0700 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-05-29 12:04:35 -0400 |
commit | 03ce5120722b3b5cb9cd0fec08c22681a96ee3d6 (patch) | |
tree | a1727f6d00bd9ef1e192b52f3e34acfca1a6f958 /recovery.te | |
parent | ad0d0fc722d04e465ce2b0bfd2f8e04714c75391 (diff) | |
download | android_external_sepolicy-03ce5120722b3b5cb9cd0fec08c22681a96ee3d6.tar.gz android_external_sepolicy-03ce5120722b3b5cb9cd0fec08c22681a96ee3d6.tar.bz2 android_external_sepolicy-03ce5120722b3b5cb9cd0fec08c22681a96ee3d6.zip |
Remove /system write from unconfined
Don't allow writes to /system from unconfined domains.
/system is always mounted read-only, and no process should
ever need to write there.
Allow recovery to write to /system. This is needed to apply OTA
images.
Change-Id: I11aa8bd0c3b7f53ebe83806a0547ab8d5f25f3c9
Diffstat (limited to 'recovery.te')
-rw-r--r-- | recovery.te | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/recovery.te b/recovery.te index c132983..811623e 100644 --- a/recovery.te +++ b/recovery.te @@ -5,10 +5,14 @@ unconfined_domain(recovery) allow recovery self:capability2 mac_admin; -allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto; +allow recovery {dev_type -kmem_device}:dir_file_class_set relabelto; +allow recovery {fs_type file_type}:dir_file_class_set relabelto; allow recovery unlabeled:filesystem mount; allow recovery fs_type:filesystem *; +allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename }; +allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename }; + # Required to e.g. wipe userdata/cache. allow recovery dev_type:blk_file rw_file_perms; |