am 206b1a6c
: Define specific block device types for system and recovery partitions.
* commit '206b1a6c45f1bae25906018d9c5d968330106826': Define specific block device types for system and recovery partitions.
This commit is contained in:
commit
e923f65a80
@ -68,6 +68,12 @@ type root_block_device, dev_type;
|
|||||||
# factory reset protection block device
|
# factory reset protection block device
|
||||||
type frp_block_device, dev_type;
|
type frp_block_device, dev_type;
|
||||||
|
|
||||||
|
# System block device mounted on /system.
|
||||||
|
type system_block_device, dev_type;
|
||||||
|
|
||||||
|
# Recovery block device.
|
||||||
|
type recovery_block_device, dev_type;
|
||||||
|
|
||||||
# Userdata block device mounted on /data.
|
# Userdata block device mounted on /data.
|
||||||
type userdata_block_device, dev_type;
|
type userdata_block_device, dev_type;
|
||||||
|
|
||||||
|
@ -318,3 +318,9 @@ neverallow domain default_android_service:service_manager add;
|
|||||||
neverallow { domain -init } default_prop:property_service set;
|
neverallow { domain -init } default_prop:property_service set;
|
||||||
|
|
||||||
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
|
neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
|
||||||
|
|
||||||
|
# No domain other than recovery can write to system.
|
||||||
|
neverallow { domain -recovery } system_block_device:blk_file write;
|
||||||
|
|
||||||
|
# No domains other than install_recovery or recovery can write to recovery.
|
||||||
|
neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
|
||||||
|
@ -18,6 +18,8 @@ allow install_recovery system_file:file rx_file_perms;
|
|||||||
# create an appropriate label for it.
|
# create an appropriate label for it.
|
||||||
allow install_recovery block_device:dir search;
|
allow install_recovery block_device:dir search;
|
||||||
allow install_recovery block_device:blk_file rw_file_perms;
|
allow install_recovery block_device:blk_file rw_file_perms;
|
||||||
|
auditallow install_recovery block_device:blk_file rw_file_perms;
|
||||||
|
allow install_recovery recovery_block_device:blk_file rw_file_perms;
|
||||||
|
|
||||||
# Create and delete /cache/saved.file
|
# Create and delete /cache/saved.file
|
||||||
allow install_recovery cache_file:dir rw_dir_perms;
|
allow install_recovery cache_file:dir rw_dir_perms;
|
||||||
|
Loading…
Reference in New Issue
Block a user