Merge "recovery: clean up audit logspam"
diff --git a/private/domain_deprecated.te b/private/domain_deprecated.te
index 69602c3..c4aacb1 100644
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@
domain_deprecated
-appdomain
-installd
+ -recovery
-sdcardd
-surfaceflinger
-system_server
@@ -38,6 +39,7 @@
-fsck
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -49,6 +51,7 @@
domain_deprecated
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -61,6 +64,7 @@
-appdomain
-healthd
-installd
+ -recovery
-servicemanager
-system_server
-ueventd
@@ -141,17 +145,20 @@
userdebug_or_eng(`
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:dir { open read search ioctl lock };
auditallow {
domain_deprecated
-appdomain
+ -recovery
-system_server
-vold
} cache_file:dir getattr;
auditallow {
domain_deprecated
+ -recovery
-system_server
-vold
} cache_file:file { getattr read };
@@ -212,6 +219,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -224,6 +232,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
@@ -236,6 +245,7 @@
-fingerprintd
-healthd
-netd
+ -recovery
-system_app
-surfaceflinger
-system_server
diff --git a/public/recovery.te b/public/recovery.te
index f705241..fe0b20e 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@
allow recovery self:capability2 mac_admin;
# Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
allow recovery rootfs:file execute_no_trans;
allow recovery system_file:file execute_no_trans;
allow recovery toolbox_exec:file rx_file_perms;
@@ -56,6 +57,7 @@
# Write to /sys/class/android_usb/android0/enable.
# TODO: create more specific label?
+ r_dir_file(recovery, sysfs)
allow recovery sysfs:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.