Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: a3c97a7660bae649674e717bf7a9593f0d8370d7 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Tue Aug 25 11:38:29 2015 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Tue Aug 25 12:46:07 2015 -0400
tree: c68b75b07333a819ed3a49ca1423ff48bd7c0c00
parent: 4abd409af0e7d7fb908e5f04fa1ed946e2996dce [diff] [blame]
diff --git a/install_recovery.te b/install_recovery.te
index 1385220..cbc8634 100644
--- a/install_recovery.te
+++ b/install_recovery.te

@@ -13,6 +13,10 @@
 # Execute /system/bin/applypatch
 allow install_recovery system_file:file rx_file_perms;
 
+# XXX Execute toolbox.  Might not be needed.
+allow install_recovery toolbox_exec:file rx_file_perms;
+auditallow install_recovery toolbox_exec:file rx_file_perms;
+
 # Update the recovery block device based off a diff of the boot block device
 allow install_recovery block_device:dir search;
 allow install_recovery boot_block_device:blk_file r_file_perms;
commit	a3c97a7660bae649674e717bf7a9593f0d8370d7	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Tue Aug 25 11:38:29 2015 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Tue Aug 25 12:46:07 2015 -0400
tree	c68b75b07333a819ed3a49ca1423ff48bd7c0c00
parent	4abd409af0e7d7fb908e5f04fa1ed946e2996dce [diff] [blame]