Remove mount-related permissions from unconfined domains.

Only allow to specific domains as required, and add a neverallow to prevent allowing it to other domains not explicitly whitelisted. sdcard_type is exempted from the neverallow since more domains require the ability to mount it, including device-specific domains. Change-Id: Ia6476d1c877f5ead250749fb12bff863be5e9f27 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-10 13:29:38 -0500
committer: Nick Kralevich <nnk@google.com> 2014-02-11 17:32:31 +0000
commit: b081cc1e050843ecb7dff687f780787ad05d6143 (patch)
tree: 391ec7ba18e806341c4ecfeb4cb0b28739670d68 /recovery.te
parent: 48b18832c476f0bd8fcb8ee3e308258392f36aaf (diff)
download: android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.gz
android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.bz2
android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/recovery.te b/recovery.te
index abcf0cf..37d6455 100644
--- a/recovery.te
+++ b/recovery.te
@@ -8,6 +8,7 @@ allow recovery self:capability2 mac_admin;
 
 allow recovery {fs_type dev_type -kmem_device file_type}:dir_file_class_set relabelto;
 allow recovery unlabeled:filesystem mount;
+allow recovery fs_type:filesystem *;
 
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
author	Stephen Smalley <sds@tycho.nsa.gov>	2014-02-10 13:29:38 -0500
committer	Nick Kralevich <nnk@google.com>	2014-02-11 17:32:31 +0000
commit	b081cc1e050843ecb7dff687f780787ad05d6143 (patch)
tree	391ec7ba18e806341c4ecfeb4cb0b28739670d68 /recovery.te
parent	48b18832c476f0bd8fcb8ee3e308258392f36aaf (diff)
download	android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.gz android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.tar.bz2 android_external_sepolicy-b081cc1e050843ecb7dff687f780787ad05d6143.zip