diff options
Diffstat (limited to 'recovery.te')
-rw-r--r-- | recovery.te | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/recovery.te b/recovery.te index 821da01..8576356 100644 --- a/recovery.te +++ b/recovery.te @@ -36,11 +36,9 @@ recovery_only(` # support to OTAs. However, that code has a bug. When an update occurs, # some directories are inappropriately labeled as exec_type. This is # only transient, and subsequent steps in the OTA script correct this - # mistake. - # Allow this behavior for now until we can fix the underlying bug. - # b/15575013 + # mistake. New devices are moving to block based OTAs, so this is not + # worth fixing. b/15575013 allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; - auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto }; # Write to /proc/sys/vm/drop_caches # TODO: create more specific label? @@ -100,3 +98,20 @@ recovery_only(` # set scheduling parameters for a kernel domain task. allow recovery kernel:process setsched; ') + +### +### neverallow rules +### + +# Recovery should never touch /data. +# +# In particular, if /data is encrypted, it is not accessible +# to recovery anyway. +# +# For now, we only enforce write/execute restrictions, as domain.te +# contains a number of read-only rules that apply to all +# domains, including recovery. +# +# TODO: tighten this up further. +neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms }; +neverallow recovery data_file_type:dir no_w_dir_perms; |