sepolicy: More rules for recovery

Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e
10 years ago · 06ec5853f3
parent c4f6b977c5
commit 06ec5853f3
3 changed files with 18 additions and 0 deletions
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@ -1 +1,2 @@
 type adbtcp_prop, property_type;
+type recovery_prop, property_type;
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@ -1 +1,3 @@
 service.adb.tcp.port          u:object_r:adbtcp_prop:s0
+recovery.perf.mode            u:object_r:recovery_prop:s0
+adb.secure                    u:object_r:recovery_prop:s0
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@ -1,8 +1,23 @@
+recovery_only(`
+
 # Secure adb (setup_adbd)
 allow adbd adb_keys_file:dir search;
+allow recovery adb_keys_file:dir r_dir_perms;
 allow recovery adb_keys_file:file r_file_perms;
 allow recovery shell_prop:property_service set;

 # Recovery dialogs
 unix_socket_connect(recovery, vold, vold)
 allow recovery tmpfs:sock_file create_file_perms;
+
+# Read packages.xml
+allow recovery system_data_file:file r_file_perms;
+
+# Manage fstab and /adb_keys
+allow recovery rootfs:file create_file_perms;
+allow recovery rootfs:dir { write add_name };
+
+# Control properties
+allow recovery recovery_prop:property_service set;
+
+')