commit f70fcbd8789c381357f464863f613e16585fe864
author Nick Kralevich <nnk@google.com> Tue Feb 24 22:28:00 2015 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Feb 24 22:28:01 2015 +0000
tree 63ab42ef3ce6997fb6c1e0c71beab35e8e42c358
parent b487661946ad632e34412ffccf55d43723ded572
parent f5e7162f1dc5f0b29fe16c55aab803c208dfa15a

Merge "sepolicy:  remove block_device access from install_recovery"

domain.te

diff --git a/domain.te b/domain.te
index 1e3b2fb..1c0a598 100644
--- a/domain.te
+++ b/domain.te
@@ -257,7 +257,7 @@
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

install_recovery.te

diff --git a/install_recovery.te b/install_recovery.te
index 5232685..9155a2d 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -14,11 +14,7 @@
 allow install_recovery system_file:file rx_file_perms;
 
 # Update the recovery block device
-# TODO: Limit this to only recovery block device when we
-# create an appropriate label for it.
 allow install_recovery block_device:dir search;
-allow install_recovery block_device:blk_file rw_file_perms;
-auditallow install_recovery block_device:blk_file rw_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file