Merge "Don't grant domain device:dir rw_dir_perms"

commit: 0341e1abb1017b12985a4e1e904bc4f900601a2c [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Jun 05 16:44:12 2014 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Jun 05 16:44:13 2014 +0000
tree: f45e0969237a8c330ea351ec347176cd88ff636a
parent: a03d761f191320662dfea3182164d4166c7ad1c7 [diff]
parent: 2bcea0a3139faf0a8ae1cfe9cce88cde74e1a0bc [diff]
diff --git a/recovery.te b/recovery.te
index 2d400cd..951c498 100644
--- a/recovery.te
+++ b/recovery.te

@@ -20,9 +20,14 @@
   allow recovery fs_type:filesystem *;
   allow recovery unlabeled:filesystem *;
 
-  # Create and relabel files under /system.
-  allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
-  allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
+  # Create and relabel files and directories under /system.
+  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+
+  # Write to /proc/sys/vm/drop_caches
+  # TODO: create more specific label?
+  allow recovery proc:file w_file_perms;
 
   # Required to e.g. wipe userdata/cache.
   allow recovery block_device:dir r_dir_perms;
commit	0341e1abb1017b12985a4e1e904bc4f900601a2c	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Jun 05 16:44:12 2014 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Jun 05 16:44:13 2014 +0000
tree	f45e0969237a8c330ea351ec347176cd88ff636a
parent	a03d761f191320662dfea3182164d4166c7ad1c7 [diff]
parent	2bcea0a3139faf0a8ae1cfe9cce88cde74e1a0bc [diff]