recovery: clean up audit logspam

avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:cache_file:s0 tclass=dir avc: granted { getattr } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:rootfs:s0 tclass=file avc: granted { read } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read open } scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { search } scontext=u:r:recovery:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir Fixes: 62619253 Test: policy builds, no more "granted" messages in dmesg for recovery. Change-Id: I3f6d8ceee80307a01a8fd40cb4f8362a9825b1a3

recovery: clean up audit logspam
ea1d6e7d · Jeff Vander Stoep · 86cb5215 · ea1d6e7d · ea1d6e7d
Commit ea1d6e7d authored Jun 14, 2017 by Jeff Vander Stoep
--- a/private/domain_deprecated.te
+++ b/private/domain_deprecated.te
@@ -7,6 +7,7 @@ auditallow {
  domain_deprecated
  -appdomain
  -installd
+  -recovery
  -sdcardd
  -surfaceflinger
  -system_server
@@ -38,6 +39,7 @@ auditallow {
  -fsck
  -healthd
  -installd
+  -recovery
  -servicemanager
  -system_server
  -ueventd
@@ -49,6 +51,7 @@ auditallow {
  domain_deprecated
  -healthd
  -installd
+  -recovery
  -servicemanager
  -system_server
  -ueventd
@@ -61,6 +64,7 @@ auditallow {
  -appdomain
  -healthd
  -installd
+  -recovery
  -servicemanager
  -system_server
  -ueventd
@@ -141,17 +145,20 @@ allow domain_deprecated cache_file:lnk_file r_file_perms;
 userdebug_or_eng(`
 auditallow {
  domain_deprecated
+  -recovery
  -system_server
  -vold
 } cache_file:dir { open read search ioctl lock };
 auditallow {
  domain_deprecated
  -appdomain
+  -recovery
  -system_server
  -vold
 } cache_file:dir getattr;
 auditallow {
  domain_deprecated
+  -recovery
  -system_server
  -vold
 } cache_file:file { getattr read };
@@ -212,6 +219,7 @@ auditallow {
  -fingerprintd
  -healthd
  -netd
+  -recovery
  -system_app
  -surfaceflinger
  -system_server
@@ -224,6 +232,7 @@ auditallow {
  -fingerprintd
  -healthd
  -netd
+  -recovery
  -system_app
  -surfaceflinger
  -system_server
@@ -236,6 +245,7 @@ auditallow {
  -fingerprintd
  -healthd
  -netd
+  -recovery
  -system_app
  -surfaceflinger
  -system_server


--- a/public/recovery.te
+++ b/public/recovery.te
@@ -18,6 +18,7 @@ recovery_only(`
  allow recovery self:capability2 mac_admin;

  # Run helpers from / or /system without changing domain.
+  r_dir_file(recovery, rootfs)
  allow recovery rootfs:file execute_no_trans;
  allow recovery system_file:file execute_no_trans;
  allow recovery toolbox_exec:file rx_file_perms;
@@ -56,6 +57,7 @@ recovery_only(`

  # Write to /sys/class/android_usb/android0/enable.
  # TODO: create more specific label?
+  r_dir_file(recovery, sysfs)
  allow recovery sysfs:file w_file_perms;

  # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.