am 0055ea90: Allow recovery to create device nodes and modify rootfs * commit '0055ea904aa42340d69e0bdfdf663c505f00a992': Allow recovery to create device nodes and modify rootfs

commit: 7cd346a70eecf45363e3368ba99b728832b9a902 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Fri Nov 07 21:11:35 2014 +0000
committer: Android Git Automerger <android-git-automerger@android.com> Fri Nov 07 21:11:35 2014 +0000
tree: 3ce74a2c08d8f11f95a57dff78254f9b4631601a
parent: 7adc8cfee367abc5cd17a21868b6b0bdb7b06eed [diff]
parent: 0055ea904aa42340d69e0bdfdf663c505f00a992 [diff]
diff --git a/domain.te b/domain.te
index 6b025e3..cb1c4f3 100644
--- a/domain.te
+++ b/domain.te

@@ -255,7 +255,7 @@
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
 # ueventd is exempt from this, as its managing these devices.
-neverallow { domain -unconfineddomain -ueventd } device:chr_file { open read write };
+neverallow { domain -unconfineddomain -ueventd -recovery } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -290,7 +290,7 @@
     { create write setattr relabelfrom relabelto append unlink link rename };
 
 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
commit	7cd346a70eecf45363e3368ba99b728832b9a902	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Fri Nov 07 21:11:35 2014 +0000
committer	Android Git Automerger <android-git-automerger@android.com>	Fri Nov 07 21:11:35 2014 +0000
tree	3ce74a2c08d8f11f95a57dff78254f9b4631601a
parent	7adc8cfee367abc5cd17a21868b6b0bdb7b06eed [diff]
parent	0055ea904aa42340d69e0bdfdf663c505f00a992 [diff]