diff options
author | Nick Kralevich <nnk@google.com> | 2014-11-07 21:21:14 +0000 |
---|---|---|
committer | Android Git Automerger <android-git-automerger@android.com> | 2014-11-07 21:21:14 +0000 |
commit | cc132037e9bd2837f9e9c31e4fe7cb7f4df69a01 (patch) | |
tree | 63882a85a8fece083f1a9967bf71df577ac1cef9 | |
parent | f457e57db0e0497ac284125f5f78758bc7ab487b (diff) | |
parent | 7cd346a70eecf45363e3368ba99b728832b9a902 (diff) | |
download | sepolicy-cc132037e9bd2837f9e9c31e4fe7cb7f4df69a01.tar.gz |
am 7cd346a7: am 0055ea90: Allow recovery to create device nodes and modify rootfs
* commit '7cd346a70eecf45363e3368ba99b728832b9a902':
Allow recovery to create device nodes and modify rootfs
-rw-r--r-- | domain.te | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -259,7 +259,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. # ueventd is exempt from this, as its managing these devices. -neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; +neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -294,7 +294,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Nothing should be writing to files in the rootfs. -neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute. |