sepolicy: Additional filesystem perms for recovery Change-Id: I66c785de7256ea64302a258af7c33cb717530343

commit: 2806bc4f0cc1cde0120bf5cbe451f14ac945de73 [log] [tgz]
author: Matt Mower <mowerm@gmail.com> Fri Dec 19 10:45:10 2014 -0600
committer: Gerrit Code Review <gerrit@cyanogenmod.org> Fri Jan 16 14:36:24 2015 +0000
tree: 41800faa09943372ecced1721958b761e3e67af0
parent: e9c2de0679f16a8ba7291aaf2cd4286bef8b2886 [diff]
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 87d2412..af76917 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te

@@ -15,11 +15,15 @@
 
 # Manage fstab and /adb_keys
 allow recovery rootfs:file create_file_perms;
-allow recovery rootfs:dir { write add_name };
+allow recovery rootfs:dir { write create rmdir add_name remove_name };
 
-# Read /data/media files and directories
+# Read storage files and directories
 allow recovery media_rw_data_file:dir r_dir_perms;
 allow recovery media_rw_data_file:file r_file_perms;
+allow recovery vfat:dir r_dir_perms;
+allow recovery vfat:file r_file_perms;
+allow recovery sdcard_posix:dir r_dir_perms;
+allow recovery sdcard_posix:file r_file_perms;
 
 # Control properties
 allow recovery recovery_prop:property_service set;

diff --git a/sepolicy/vold.te b/sepolicy/vold.te
index b54b6e9..acdc7af 100644
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te

@@ -8,3 +8,8 @@
 
 # NTFS-3g wants to drop permission
 allow vold self:capability { setgid setuid };
+
+# Vold can also run as minivold in the rootfs
+recovery_only(`
+  allow vold rootfs:dir { add_name write };
+')
commit	2806bc4f0cc1cde0120bf5cbe451f14ac945de73	[log] [tgz]
author	Matt Mower <mowerm@gmail.com>	Fri Dec 19 10:45:10 2014 -0600
committer	Gerrit Code Review <gerrit@cyanogenmod.org>	Fri Jan 16 14:36:24 2015 +0000
tree	41800faa09943372ecced1721958b761e3e67af0
parent	e9c2de0679f16a8ba7291aaf2cd4286bef8b2886 [diff]