sepolicy: Allow recovery to alter /

This is needed for /etc/fstab, /adb_keys and volmgr

Change-Id: I53332a57ce7879d7ba63c4ea3e27add01f5a3a90

2 files changed, 4 insertions, 4 deletions

diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index fe68ed02..6f3a19cd 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -488,8 +488,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
 neverallow * exec_type:dir_file_class_set mounton;
 neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
diff --git a/public/domain.te b/public/domain.te
index fe68ed02..6f3a19cd 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -488,8 +488,8 @@ neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vend
 neverallow * exec_type:dir_file_class_set mounton;
 neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
 
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+# Nothing should be writing to files in the rootfs, except recovery.
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.