From a03d761f191320662dfea3182164d4166c7ad1c7 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 4 Jun 2014 23:43:03 -0700
Subject: [PATCH] refine recovery domain.

Make sure we have all necessary rules to modify system_file and
exec_type.

Allow writing to /proc/sys/vm/drop_caches and other proc
files.

Addresses denials like:

  avc:  denied  { getattr } for  pid=152 comm="update_binary" path="/system/bin/debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { read } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { open } for  pid=152 comm="update_binary" name="debuggerd" dev="mmcblk0p21" ino=88 scontext=u:r:recovery:s0 tcontext=u:object_r:debuggerd_exec:s0 tclass=file
  avc:  denied  { remove_name } for  pid=152 comm="update_binary" name="framework.jar" dev="mmcblk0p21" ino=1600 scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { add_name } for  pid=152 comm="update_binary" name="Foo.apk.patch" scontext=u:r:recovery:s0 tcontext=u:object_r:system_file:s0 tclass=dir
  avc:  denied  { write } for  pid=152 comm="update_binary" name="drop_caches" dev="proc" ino=8288 scontext=u:r:recovery:s0 tcontext=u:object_r:proc:s0 tclass=file

recovery is still in permissive_or_unconfined(), so no rules are
being enforced.

Change-Id: I14ca777fe27a2b0fd9a0aefce5ddcc402b1e5a59
---
 recovery.te | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/recovery.te b/recovery.te
index 2d400cd41..951c49824 100644
--- a/recovery.te
+++ b/recovery.te
@@ -20,9 +20,14 @@ recovery_only(`
   allow recovery fs_type:filesystem *;
   allow recovery unlabeled:filesystem *;
 
-  # Create and relabel files under /system.
-  allow recovery exec_type:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
-  allow recovery system_file:{ file dir lnk_file } { create write setattr relabelfrom relabelto append unlink link rename };
+  # Create and relabel files and directories under /system.
+  allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+  allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+
+  # Write to /proc/sys/vm/drop_caches
+  # TODO: create more specific label?
+  allow recovery proc:file w_file_perms;
 
   # Required to e.g. wipe userdata/cache.
   allow recovery block_device:dir r_dir_perms;
-- 
GitLab