From 7ceb4cce34d3ce88f462820755e1e4829f0e0890 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 2 Mar 2015 13:37:18 -0800
Subject: [PATCH] Revert "Allow recovery to create device nodes and modify
 rootfs"

grouper and tilapia are no longer officially supported. Remove
the neverallow rule added for them in bug 18281224.

This reverts commit 1795b665bf89b2755b070bab43adfd521ab88ff4.
---
 domain.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index d835ee940..005b2b34f 100644
--- a/domain.te
+++ b/domain.te
@@ -262,7 +262,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_fi
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
 # ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -300,7 +300,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow domain { system_file exec_type }:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-- 
GitLab