Revert "Allow recovery to create device nodes and modify rootfs"

grouper and tilapia are no longer officially supported. Remove the neverallow rule added for them in bug 18281224. This reverts commit 1795b665.

Revert "Allow recovery to create device nodes and modify rootfs"
grouper and tilapia are no longer officially supported. Remove the neverallow rule added for them in bug 18281224. This reverts commit 1795b665.
7ceb4cce · Nick Kralevich · be1ac548 · 7ceb4cce
Commit 7ceb4cce authored 10 years ago by Nick Kralevich
--- a/domain.te
+++ b/domain.te
@@ -262,7 +262,7 @@ neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_fi
 # Rather force a relabel to a more specific type.
 # init is exempt from this as there are character devices that only it uses.
 # ueventd is exempt from this, as it is managing these devices.
-neverallow { domain -init -ueventd -recovery } device:chr_file { open read write };
+neverallow { domain -init -ueventd } device:chr_file { open read write };
 # Limit what domains can mount filesystems or change their mount flags.
 # sdcard_type / vfat is exempt as a larger set of domains need
@@ -300,7 +300,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow domain { system_file exec_type }:dir_file_class_set mounton;
 # Nothing should be writing to files in the rootfs.
-neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.