From e629b7eb2d53904a6e1f598d8ea77e3e57bd206b Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 29 Sep 2017 12:34:14 -0700
Subject: [PATCH] Allow recovery to read /proc/cmdline

avc:  denied  { read } for  pid=446 comm="recovery" name="cmdline"
dev="proc" scontext=u:r:recovery:s0
tcontext=u:object_r:proc_cmdline:s0 tclass=file

Test: build
Bug: 66497047
Change-Id: I9f48db88bed0d6ac76fa2808a4913857230a5d4b
---
 public/recovery.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/recovery.te b/public/recovery.te
index 187251a4f..5f7a47516 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -134,6 +134,8 @@ recovery_only(`
   # This line seems suspect, as it should not really need to
   # set scheduling parameters for a kernel domain task.
   allow recovery kernel:process setsched;
+
+  allow recovery proc_cmdline:file r_file_perms;
 ')
 
 ###
-- 
GitLab