diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-06-19 12:15:22 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-06-19 12:23:03 -0400 |
commit | 1095d6944c6dc206c8656a34712f15820cd18f74 (patch) | |
tree | 5255afe4f5be5e89c32a013736f28c928ad58acd /recovery.te | |
parent | 97a2cfdf6618f98fe1da51c5e77d9a5d2765c04e (diff) | |
download | android_external_sepolicy-1095d6944c6dc206c8656a34712f15820cd18f74.tar.gz android_external_sepolicy-1095d6944c6dc206c8656a34712f15820cd18f74.tar.bz2 android_external_sepolicy-1095d6944c6dc206c8656a34712f15820cd18f74.zip |
Address recovery denials.
[ 265.263738] type=1400 audit(17091747.819:4): avc: denied { write } for pid=132 comm="recovery" name="enable" dev="sysfs" ino=14405 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file
[ 265.293154] type=1400 audit(17091747.849:5): avc: denied { execute } for pid=177 comm="recovery" name="recovery" dev="rootfs" ino=6376 scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file
[ 265.299479] type=1400 audit(17091747.859:6): avc: denied { setgid } for pid=177 comm="recovery" capability=6 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
[ 265.299511] type=1400 audit(17091747.859:7): avc: denied { read write } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[ 265.299531] type=1400 audit(17091747.859:8): avc: denied { open } for pid=178 comm="recovery" name="android_adb" dev="tmpfs" ino=6739 scontext=u:r:recovery:s0 tcontext=u:object_r:adb_device:s0 tclass=chr_file
[ 265.299863] type=1400 audit(17091747.859:9): avc: denied { setuid } for pid=177 comm="recovery" capability=7 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability
Change-Id: I024d5a797b86b9766f10bbb2a6a6462cafc9c26a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'recovery.te')
-rw-r--r-- | recovery.te | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/recovery.te b/recovery.te index c6c5417..e98cf44 100644 --- a/recovery.te +++ b/recovery.te @@ -7,10 +7,10 @@ type recovery, domain; # But the allow rules are only included in the recovery policy. # Otherwise recovery is only allowed the domain rules. recovery_only(` - allow recovery rootfs:file entrypoint; + allow recovery rootfs:file { entrypoint execute }; permissive_or_unconfined(recovery) - allow recovery self:capability { chown dac_override fowner fsetid setfcap sys_admin sys_tty_config }; + allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config }; # Set security contexts on files that are not known to the loaded policy. allow recovery self:capability2 mac_admin; @@ -40,6 +40,13 @@ recovery_only(` # TODO: create more specific label? allow recovery proc:file w_file_perms; + # Write to /sys/class/android_usb/android0/enable. + # TODO: create more specific label? + allow recovery sysfs:file w_file_perms; + + # Access /dev/android_adb. + allow recovery adb_device:chr_file rw_file_perms; + # Required to e.g. wipe userdata/cache. allow recovery device:dir r_dir_perms; allow recovery block_device:dir r_dir_perms; |