diff options
author | Nick Kralevich <nnk@google.com> | 2014-11-07 21:11:35 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-11-07 21:11:35 +0000 |
commit | 7cd346a70eecf45363e3368ba99b728832b9a902 (patch) | |
tree | 3ce74a2c08d8f11f95a57dff78254f9b4631601a | |
parent | 7adc8cfee367abc5cd17a21868b6b0bdb7b06eed (diff) | |
parent | 0055ea904aa42340d69e0bdfdf663c505f00a992 (diff) | |
download | sepolicy-7cd346a70eecf45363e3368ba99b728832b9a902.tar.gz |
am 0055ea90: Allow recovery to create device nodes and modify rootfs
* commit '0055ea904aa42340d69e0bdfdf663c505f00a992':
Allow recovery to create device nodes and modify rootfs
-rw-r--r-- | domain.te | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -255,7 +255,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. # ueventd is exempt from this, as its managing these devices. -neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; +neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -290,7 +290,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Nothing should be writing to files in the rootfs. -neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. |