From 7e5c2883f3327921f9a777f103a0ffad6135ba7c Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Thu, 26 Oct 2017 10:29:52 -0700
Subject: [PATCH] recovery: fix denials during factory reset

Addresses these denials when wiping data on sailfish:

avc:  denied  { open } for  pid=488 comm="mke2fs_static"
path="/proc/swaps" dev="proc" ino=4026532415 scontext=u:r:recovery:s0
tcontext=u:object_r:proc_swaps:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=488 comm="mke2fs_static"
name="features" dev="sysfs" ino=30084 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=488 comm="mke2fs_static"
name="lazy_itable_init" dev="sysfs" ino=30085 scontext=u:r:recovery:s0
tcontext=u:object_r:sysfs_fs_ext4_features:s0 tclass=file permissive=1

Test: Wipe data/factory reset -> no selinux denials
Change-Id: Ia9e2e4fd4a1c604c9286a558ef0fe43fd153e3bc
---
 public/recovery.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/recovery.te b/public/recovery.te
index d0a398012..777f25752 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -52,6 +52,9 @@ recovery_only(`
   # Write to /proc/sys/vm/drop_caches
   allow recovery proc_drop_caches:file w_file_perms;
 
+  # Read /proc/swaps
+  allow recovery proc_swaps:file r_file_perms;
+
   # Read kernel config through libvintf for OTA matching
   allow recovery config_gz:file { open read getattr };
 
@@ -66,6 +69,9 @@ recovery_only(`
 
   allow recovery sysfs_batteryinfo:file r_file_perms;
 
+  # Read /sysfs/fs/ext4/features
+  r_dir_file(recovery, sysfs_fs_ext4_features)
+
   # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
   # control backlight brightness.
   allow recovery sysfs_leds:dir r_dir_perms;
-- 
GitLab