Remove block device access from unconfined domains. Only allow to domains as required and amend the existing neverallow on block_device:blk_file to replace the exemption for unconfineddomain with an explicit whitelist. The neverallow does not check other device types as specific ones may need to be writable by device-specific domains. Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: 3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Tue Feb 11 14:40:14 2014 -0500
committer: Stephen Smalley <sds@tycho.nsa.gov> Wed Feb 12 13:03:38 2014 -0500
tree: eb39bd38941732aa9d8b8b785ac9007445597204
parent: 5487ca00d4788de367a9d099714f6df4d86ef261 [diff] [blame]
diff --git a/recovery.te b/recovery.te
index ea444c4..b6f82c7 100644
--- a/recovery.te
+++ b/recovery.te

@@ -10,6 +10,9 @@
 allow recovery unlabeled:filesystem mount;
 allow recovery fs_type:filesystem *;
 
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file rw_file_perms;
+
 allow recovery self:process execmem;
 allow recovery ashmem_device:chr_file execute;
 allow recovery tmpfs:file rx_file_perms;
commit	3f40d4f4b17a3a5eeac38a8150ab52e47a19ab3c	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Tue Feb 11 14:40:14 2014 -0500
committer	Stephen Smalley <sds@tycho.nsa.gov>	Wed Feb 12 13:03:38 2014 -0500
tree	eb39bd38941732aa9d8b8b785ac9007445597204
parent	5487ca00d4788de367a9d099714f6df4d86ef261 [diff] [blame]