tighten up some neverallow rules.

"append" has almost the same behavior as "write". Test: policy compiles. Change-Id: I3f85108e7918766f07e03f74c3f1d8e8084042b3

tighten up some neverallow rules.
"append" has almost the same behavior as "write". Test: policy compiles. Change-Id: I3f85108e7918766f07e03f74c3f1d8e8084042b3
fc2449b4 · Nick Kralevich · 1e880410 · fc2449b4
Commit fc2449b4 authored 7 years ago by Nick Kralevich
--- a/public/domain.te
+++ b/public/domain.te
@@ -481,10 +481,10 @@ neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
  { append link rename write open read ioctl lock };

 # No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };

 # No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };

 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.