Merge "tighten up some neverallow rules."

commit: dbe5086f25162ecfa034ae585281a680f01b66d9 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Fri Oct 06 05:10:32 2017 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Oct 06 05:10:32 2017 +0000
tree: d6275775998f5ecc94b60f615b497b2696753b2d
parent: 7a83d44f7f896ed8896d8d4dd211ed1a2cc94859 [diff]
parent: fc2449b4de0e50d39a77f3411e11d8bb1f8cac21 [diff]
diff --git a/public/domain.te b/public/domain.te
index 9bc9e4e..f28da11 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -481,10 +481,10 @@
   { append link rename write open read ioctl lock };
 
 # No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
 
 # No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
 
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
commit	dbe5086f25162ecfa034ae585281a680f01b66d9	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Fri Oct 06 05:10:32 2017 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Oct 06 05:10:32 2017 +0000
tree	d6275775998f5ecc94b60f615b497b2696753b2d
parent	7a83d44f7f896ed8896d8d4dd211ed1a2cc94859 [diff]
parent	fc2449b4de0e50d39a77f3411e11d8bb1f8cac21 [diff]