Remove block device access from unconfined domains.
Only allow to domains as required and amend the existing
neverallow on block_device:blk_file to replace the
exemption for unconfineddomain with an explicit whitelist.
The neverallow does not check other device types as specific
ones may need to be writable by device-specific domains.
Change-Id: I0f2f1f565e886ae110a719a08aa3a1e7e9f23e8c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/recovery.te b/recovery.te
index ea444c4..b6f82c7 100644
--- a/recovery.te
+++ b/recovery.te
@@ -10,6 +10,9 @@
allow recovery unlabeled:filesystem mount;
allow recovery fs_type:filesystem *;
+# Required to e.g. wipe userdata/cache.
+allow recovery dev_type:blk_file rw_file_perms;
+
allow recovery self:process execmem;
allow recovery ashmem_device:chr_file execute;
allow recovery tmpfs:file rx_file_perms;