From f5e7162f1dc5f0b29fe16c55aab803c208dfa15a Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 24 Feb 2015 18:07:15 -0500
Subject: [PATCH] sepolicy:  remove block_device access from install_recovery

The recovery partition has been assigned a recovery_block_device
type for the AOSP devices, so install_recovery should not need
rw access to the generic block_device type.  Remove it.

Change-Id: I31621a8157998102859a6e9eb76d405caf6d5f0d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te           | 2 +-
 install_recovery.te | 4 ----
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/domain.te b/domain.te
index 1e3b2fb2b..1c0a598d7 100644
--- a/domain.te
+++ b/domain.te
@@ -257,7 +257,7 @@ neverallow domain init:binder *;
 
 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt } block_device:blk_file { open read write };
 
 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.
diff --git a/install_recovery.te b/install_recovery.te
index 52326859a..9155a2d41 100644
--- a/install_recovery.te
+++ b/install_recovery.te
@@ -14,11 +14,7 @@ allow install_recovery shell_exec:file rx_file_perms;
 allow install_recovery system_file:file rx_file_perms;
 
 # Update the recovery block device
-# TODO: Limit this to only recovery block device when we
-# create an appropriate label for it.
 allow install_recovery block_device:dir search;
-allow install_recovery block_device:blk_file rw_file_perms;
-auditallow install_recovery block_device:blk_file rw_file_perms;
 allow install_recovery recovery_block_device:blk_file rw_file_perms;
 
 # Create and delete /cache/saved.file
-- 
GitLab