Merge "tighten up some neverallow rules."

dbe5086f · Treehugger Robot · Gerrit Code Review · 7a83d44f · fc2449b4 · dbe5086f
Commit dbe5086f authored 7 years ago by Treehugger Robot Committed by Gerrit Code Review 7 years ago
--- a/public/domain.te
+++ b/public/domain.te
@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
  { append link rename write open read ioctl lock };

 # No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };

 # No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };

 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.