From ff409bb40a7a941576118eecd2ae0eddf653e847 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 15 Jun 2014 09:40:12 -0700
Subject: [PATCH] recovery: Allow exec_type on dirs, read for /dev

When applying a file based OTA, the recovery scripts sometimes
transiently label a directory as an exec_type. This occurs on
hammerhead when the OTA generation scripts generate lines of the
form:

  set_metadata_recursive("/system/vendor/bin", "uid", 0, "gid", 2000, "dmode", 0755, "fmode", 0755, "capabilities", 0x0, "selabel", "u:object_r:vss_exec:s0");
  set_metadata("/system/vendor/bin", "uid", 0, "gid", 2000, "mode", 0755, "capabilities", 0x0, "selabel", "u:object_r:system_file:s0");

which has the effect of transiently labeling the /system/vendor/bin
directory as vss_exec.

Allow this behavior for now, even though it's obviously a bug.

Also, allow recovery to read through the /dev directory.

Addresses the following denials:
  avc:  denied  { read } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { open } for  pid=143 comm="recovery" name="/" dev="tmpfs" ino=8252 scontext=u:r:recovery:s0 tcontext=u:object_r:device:s0 tclass=dir
  avc:  denied  { relabelto } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { getattr } for  pid=142 comm="update_binary" path="/system/vendor/bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { setattr } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir
  avc:  denied  { relabelfrom } for  pid=142 comm="update_binary" name="bin" dev="mmcblk0p25" ino=1438 scontext=u:r:recovery:s0 tcontext=u:object_r:vss_exec:s0 tclass=dir

Bug: 15575013
Change-Id: I743bea356382d3c23c136465dc5b434878370127
---
 recovery.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/recovery.te b/recovery.te
index 595876119..df1e60d4a 100644
--- a/recovery.te
+++ b/recovery.te
@@ -25,11 +25,22 @@ recovery_only(`
   allow recovery system_file:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
 
+  # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
+  # support to OTAs. However, that code has a bug. When an update occurs,
+  # some directories are inappropriately labeled as exec_type. This is
+  # only transient, and subsequent steps in the OTA script correct this
+  # mistake.
+  # Allow this behavior for now until we can fix the underlying bug.
+  # b/15575013
+  allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+  auditallow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+
   # Write to /proc/sys/vm/drop_caches
   # TODO: create more specific label?
   allow recovery proc:file w_file_perms;
 
   # Required to e.g. wipe userdata/cache.
+  allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
   allow recovery dev_type:blk_file rw_file_perms;
 
-- 
GitLab