commit c6cb6ac451b0faf6e9344282a909e910f819a296
author Nick Kralevich <nnk@google.com> Thu Oct 02 13:14:48 2014 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Oct 02 13:14:48 2014 +0000
tree 2f061e035f56860734299e3cf265aefae4cf81e5
parent 206b1a6c45f1bae25906018d9c5d968330106826
parent 94f9ff87507921b40ea5a5b1b87195b247451314

Merge "isolated_app: remove app_data_file execute"

device.te

diff --git a/device.te b/device.te
index abe5daa..c1f3d28 100644
--- a/device.te
+++ b/device.te
@@ -68,6 +68,12 @@
 # factory reset protection block device
 type frp_block_device, dev_type;
 
+# System block device mounted on /system.
+type system_block_device, dev_type;
+
+# Recovery block device.
+type recovery_block_device, dev_type;
+
 # Userdata block device mounted on /data.
 type userdata_block_device, dev_type;
 

domain.te

diff --git a/domain.te b/domain.te
index 8e9d8c4..86aeb07 100644
--- a/domain.te
+++ b/domain.te
@@ -318,3 +318,9 @@
 neverallow { domain -init } default_prop:property_service set;
 
 neverallow { domain -init -recovery -system_server } frp_block_device:blk_file rw_file_perms;
+
+# No domain other than recovery can write to system.
+neverallow { domain -recovery } system_block_device:blk_file write;
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;

install_recovery.te

diff --git a/install_recovery.te b/install_recovery.te
index 138134a..5232685 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -18,6 +18,8 @@
 # create an appropriate label for it.
 allow install_recovery block_device:dir search;
 allow install_recovery block_device:blk_file rw_file_perms;
+auditallow install_recovery block_device:blk_file rw_file_perms;
+allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
 allow install_recovery cache_file:dir rw_dir_perms;