sepolicy: More rules for recovery Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e

commit: 06ec5853f36138ffdadca3e577f251b0381f3777 [log] [tgz]
author: Steve Kondik <steve@cyngn.com> Mon Dec 01 10:38:25 2014 -0800
committer: Steve Kondik <shade@chemlab.org> Tue Dec 09 22:20:14 2014 +0000
tree: f56cc7433b252d5375c6920d1989bb47ddaced19
parent: c4f6b977c5b320b7ccef98f5ba9fa716ceacfd82 [diff] [blame]
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 06bef3f..9d17beb 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te

@@ -1,8 +1,23 @@
+recovery_only(`
+
 # Secure adb (setup_adbd)
 allow adbd adb_keys_file:dir search;
+allow recovery adb_keys_file:dir r_dir_perms;
 allow recovery adb_keys_file:file r_file_perms;
 allow recovery shell_prop:property_service set;
 
 # Recovery dialogs
 unix_socket_connect(recovery, vold, vold)
 allow recovery tmpfs:sock_file create_file_perms;
+
+# Read packages.xml
+allow recovery system_data_file:file r_file_perms;
+
+# Manage fstab and /adb_keys
+allow recovery rootfs:file create_file_perms;
+allow recovery rootfs:dir { write add_name };
+
+# Control properties
+allow recovery recovery_prop:property_service set;
+
+')
commit	06ec5853f36138ffdadca3e577f251b0381f3777	[log] [tgz]
author	Steve Kondik <steve@cyngn.com>	Mon Dec 01 10:38:25 2014 -0800
committer	Steve Kondik <shade@chemlab.org>	Tue Dec 09 22:20:14 2014 +0000
tree	f56cc7433b252d5375c6920d1989bb47ddaced19
parent	c4f6b977c5b320b7ccef98f5ba9fa716ceacfd82 [diff] [blame]