From 7e5c2883f3327921f9a777f103a0ffad6135ba7c Mon Sep 17 00:00:00 2001 From: Tri Vo Date: Thu, 26 Oct 2017 10:29:52 -0700 Subject: [PATCH] recovery: fix denials during factory reset Addresses these denials when wiping data on sailfish: avc: denied { open } for pid=488 comm="mke2fs_static" path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0 tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1 avc: denied { search } for pid=488 comm="mke2fs_static" name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1 avc: denied { read } for pid=488 comm="mke2fs_static" name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1 Test: Wipe data/factory reset -> no selinux denials Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc --- public/recovery.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/public/recovery.te b/public/recovery.te index d0a398012..777f25752 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -52,6 +52,9 @@ recovery_only(` # Write to /proc/sys/vm/drop_caches allow recovery proc_drop_caches:file w_file_perms; + # Read /proc/swaps + allow recovery proc_swaps:file r_file_perms; + # Read kernel config through libvintf for OTA matching allow recovery config_gz:file { open read getattr }; @@ -66,6 +69,9 @@ recovery_only(` allow recovery sysfs_batteryinfo:file r_file_perms; + # Read /sysfs/fs/ext4/features + r_dir_file(recovery, sysfs_fs_ext4_features) + # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to # control backlight brightness. allow recovery sysfs_leds:dir r_dir_perms;