From 0055ea904aa42340d69e0bdfdf663c505f00a992 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Fri, 7 Nov 2014 12:02:27 -0800 Subject: [PATCH] Allow recovery to create device nodes and modify rootfs tilapia's OTA code for updating the radio image needs to create files on rootfs and create a character device in /dev. Add an exception for recovery the the various neverallow rules blocking this behavior. Bug: 18281224 Change-Id: I5c57afe0a10b4598fea17f9c5c833bd39551907e --- domain.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/domain.te b/domain.te index 6b025e3e..cb1c4f35 100644 --- a/domain.te +++ b/domain.te @@ -255,7 +255,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } b # Don't allow raw read/write/open access to generic devices. # Rather force a relabel to a more specific type. # ueventd is exempt from this, as its managing these devices. -neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write }; +neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write }; # Limit what domains can mount filesystems or change their mount flags. # sdcard_type / vfat is exempt as a larger set of domains need @@ -290,7 +290,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set { create write setattr relabelfrom relabelto append unlink link rename }; # Nothing should be writing to files in the rootfs. -neverallow domain rootfs:file { create write setattr relabelto append unlink link rename }; +neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename }; # Restrict context mounts to specific types marked with # the contextmount_type attribute.