1 files changed, 19 insertions, 4 deletions

diff --git a/recovery.te b/recovery.te
index 821da01..8576356 100644
--- a/recovery.te
+++ b/recovery.te
@@ -36,11 +36,9 @@ recovery_only(`
   # support to OTAs. However, that code has a bug. When an update occurs,
   # some directories are inappropriately labeled as exec_type. This is
   # only transient, and subsequent steps in the OTA script correct this
-  # mistake.
-  # Allow this behavior for now until we can fix the underlying bug.
-  # b/15575013
+  # mistake. New devices are moving to block based OTAs, so this is not
+  # worth fixing. b/15575013
   allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-  auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
 
   # Write to /proc/sys/vm/drop_caches
   # TODO: create more specific label?
@@ -100,3 +98,20 @@ recovery_only(`
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
 ')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery data_file_type:file { no_w_file_perms no_x_file_perms };
+neverallow recovery data_file_type:dir no_w_dir_perms;