Gives recovery-persist access to /cache/recovery

Recovery-persist now parses the file /cache/recovery/last_install; and unlinks it after reporting metrics. Sets up the permission accordingly; also grants access to /cache if it's a symlink (useful for a/b devices.) Denials: recovery-persis: type=1400 audit(0.0:7): avc: denied { write } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:7): avc: denied { search } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:8): avc: denied { search } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:8): avc: denied { read } for name="cache" dev="dm-0" ino=2991 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0 Bug: 114278989 Test: checks the metrics report on devices with /cache Change-Id: Iacb5606710e26922a9fbb2d2abacf8333d6df084

Gives recovery-persist access to /cache/recovery
Recovery-persist now parses the file /cache/recovery/last_install; and unlinks it after reporting metrics. Sets up the permission accordingly; also grants access to /cache if it's a symlink (useful for a/b devices.) Denials: recovery-persis: type=1400 audit(0.0:7): avc: denied { write } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:7): avc: denied { search } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:8): avc: denied { search } for name="recovery" dev="sda35" ino=5275650 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_recovery_file:s0 tclass=dir permissive=0 recovery-persis: type=1400 audit(0.0:8): avc: denied { read } for name="cache" dev="dm-0" ino=2991 scontext=u:r:recovery_persist:s0 tcontext=u:object_r:cache_file:s0 tclass=lnk_file permissive=0 Bug: 114278989 Test: checks the metrics report on devices with /cache Change-Id: Iacb5606710e26922a9fbb2d2abacf8333d6df084
8b3f4c5b · Tianjie Xu · 275ea12d · 8b3f4c5b
Commit 8b3f4c5b authored 6 years ago by Tianjie Xu
--- a/public/recovery_persist.te
+++ b/public/recovery_persist.te
@@ -8,6 +8,11 @@ allow recovery_persist pstorefs:file r_file_perms;
 allow recovery_persist recovery_data_file:file create_file_perms;
 allow recovery_persist recovery_data_file:dir create_dir_perms;

+allow recovery_persist cache_file:dir search;
+allow recovery_persist cache_file:lnk_file read;
+allow recovery_persist cache_recovery_file:dir rw_dir_perms;
+allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
+
 ###
 ### Neverallow rules
 ###