Merge "allow run-as to access /data/local/tmp"
diff --git a/domain.te b/domain.te
index 48e2d1a..6cf7be3 100644
--- a/domain.te
+++ b/domain.te
@@ -264,7 +264,7 @@
# Rather force a relabel to a more specific type.
# init is exempt from this as there are character devices that only it uses.
# ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd } device:chr_file { open read write };
+neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
# Limit what domains can mount filesystems or change their mount flags.
# sdcard_type / vfat is exempt as a larger set of domains need
@@ -299,7 +299,7 @@
{ create write setattr relabelfrom relabelto append unlink link rename };
# Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
diff --git a/init.te b/init.te
index 61ec44e..b833da8 100644
--- a/init.te
+++ b/init.te
@@ -94,7 +94,7 @@
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
# chown/chmod on devices.
-allow init qtaguid_device:chr_file { read open setattr };
+allow init { dev_type -kmem_device }:chr_file { read open setattr };
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };