Restore recovery's ability to format cache and preserve logs

Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed many permissions from recovery, a few of which are still required. Restore these. [ 2918.409108] type=1400 audit(2327427.540:159): avc: denied { search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38" ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 [ 2586.563071] E:Failed to mount / create /cache/recovery: Permission denied [ 2586.780320] E:Can't open /cache/recovery/log: Permission denied [ 2586.850399] E:Can't open /cache/recovery/last_log: Permission denied [ 2586.918979] E:Can't open /cache/recovery/last_install: Permission denied [ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown } for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=0a Bug: 70350029 Test: xunchang to test Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197

Restore recovery's ability to format cache and preserve logs
Commit b8b4f5d6 'Clean up old file-based OTA SELinux rules' removed many permissions from recovery, a few of which are still required. Restore these. [ 2918.409108] type=1400 audit(2327427.540:159): avc: denied { search } for pid=339 comm="recovery" name="/" dev="mmcblk0p38" ino=2 scontext=u:r:recovery:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir permissive=0 [ 2586.563071] E:Failed to mount / create /cache/recovery: Permission denied [ 2586.780320] E:Can't open /cache/recovery/log: Permission denied [ 2586.850399] E:Can't open /cache/recovery/last_log: Permission denied [ 2586.918979] E:Can't open /cache/recovery/last_install: Permission denied [ 54.035867] type=1400 audit(59206654.526:12): avc: denied { chown } for pid=330 comm="recovery" capability=0 scontext=u:r:recovery:s0 tcontext=u:r:recovery:s0 tclass=capability permissive=0a Bug: 70350029 Test: xunchang to test Change-Id: I46ab049b8eb600b44c84a61777fade150cadd197
87dd195b · Jeff Vander Stoep · 3dbe6f25 · 87dd195b · 87dd195b
Commit 87dd195b authored 7 years ago by Jeff Vander Stoep
--- a/public/domain.te
+++ b/public/domain.te
@@ -239,7 +239,7 @@ neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
 neverallowxperm * devpts:chr_file ioctl TIOCSTI;
 # Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 # Limit device node creation to these whitelisted domains.
 neverallow {

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,7 +12,15 @@ recovery_only(`
  # Recovery can only use HALs in passthrough mode
  passthrough_hal_client_domain(recovery, hal_bootctl)
-  allow recovery self:global_capability_class_set { dac_override fowner setuid setgid sys_admin sys_tty_config };
+  allow recovery self:global_capability_class_set {
+    chown
+    dac_override
+    fowner
+    setuid
+    setgid
+    sys_admin
+    sys_tty_config
+  };
  # Run helpers from / or /system without changing domain.
  r_dir_file(recovery, rootfs)
@@ -26,6 +34,11 @@ recovery_only(`
  allow recovery unlabeled:filesystem ~relabelto;
  allow recovery contextmount_type:filesystem relabelto;
+  # We may be asked to set an SELinux label for a type not known to the
+  # currently loaded policy. Allow it.
+  allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
  # Get file contexts
  allow recovery file_contexts_file:file r_file_perms;