commit 75806ef3c529c019ab002072cca7951b91f245aa
author Inseob Kim <inseob@google.com> Wed Mar 27 17:18:41 2024 +0900
committer Inseob Kim <inseob@google.com> Thu Mar 28 00:33:46 2024 +0000
tree cbd0c46779774cd09f127c0e20144c39dff08dca
parent e98c6d2b38114e0819a558ef5e0d2793a30eebff

Minimize public policy

Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.

Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
           <(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
      to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12

private/recovery_refresh.te

diff --git a/private/recovery_refresh.te b/private/recovery_refresh.te
index 3c095cc..9dd95e3 100644
--- a/private/recovery_refresh.te
+++ b/private/recovery_refresh.te
@@ -2,6 +2,27 @@
 
 init_daemon_domain(recovery_refresh)
 
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file_type:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file_type system_data_file }:dir_file_class_set write;
+
 # recovery_refresh is not allowed to write anywhere
 neverallow recovery_refresh {
   file_type