am 206b1a6c: Define specific block device types for system and recovery partitions.

* commit '206b1a6c45f1bae25906018d9c5d968330106826': Define specific block device types for system and recovery partitions.
2014-10-02 16:08:33 +00:00 · 2014-10-02 16:08:33 +00:00 · e923f65a80
commit e923f65a80
parent f6a0ca25da 206b1a6c45
3 changed files with 14 additions and 0 deletions
--- a/device.te
+++ b/device.te
@ -68,6 +68,12 @@ type root_block_device, dev_type;
 # factory reset protection block device
 type frp_block_device, dev_type;

+# System block device mounted on /system.
+type system_block_device, dev_type;
+
+# Recovery block device.
+type recovery_block_device, dev_type;
+
 # Userdata block device mounted on /data.
 type userdata_block_device, dev_type;

--- a/domain.te
+++ b/domain.te
@ -318,3 +318,9 @@ neverallow domain default_android_service:service_manager add;
 neverallow { domain -init } default_prop:property_service set;

 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+
+# No domain other than recovery can write to system.
+neverallow { domain -recovery } system_block_device:blk_file write;
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
--- a/install_recovery.te
+++ b/install_recovery.te
@ -18,6 +18,8 @@ allow install_recovery system_file:file rx_file_perms;
 # create an appropriate label for it.
 allow install_recovery block_device:dir search;
 allow install_recovery block_device:blk_file rw_file_perms;
+auditallow install_recovery block_device:blk_file rw_file_perms;
+allow install_recovery recovery_block_device:blk_file rw_file_perms;

 # Create and delete /cache/saved.file
 allow install_recovery cache_file:dir rw_dir_perms;