From fc2449b4de0e50d39a77f3411e11d8bb1f8cac21 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 4 Oct 2017 14:09:51 -0700
Subject: [PATCH] tighten up some neverallow rules.

"append" has almost the same behavior as "write".

Test: policy compiles.
Change-Id: I3f85108e7918766f07e03f74c3f1d8e8084042b3
---
 public/domain.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/domain.te b/public/domain.te
index 9bc9e4e3b..f28da11c5 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
   { append link rename write open read ioctl lock };
 
 # No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
 
 # No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
 
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
-- 
GitLab