sepolicy: Exempt recovery from few neverallows
* needed for magisk
Change-Id: I5e79a485ff223a9122b16c7df74768480090bc26
diff --git a/prebuilts/api/34.0/private/apexd.te b/prebuilts/api/34.0/private/apexd.te
index b74d4ee..7feb515 100644
--- a/prebuilts/api/34.0/private/apexd.te
+++ b/prebuilts/api/34.0/private/apexd.te
@@ -198,7 +198,7 @@
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+neverallow { domain -apexd -init -otapreopt_chroot -recovery } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index f98a285..8861689 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -359,6 +359,7 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
+ -recovery
} {
file_type
-system_file_type
@@ -433,6 +434,7 @@
neverallow {
domain
-appdomain
+ -recovery
} {
data_file_type
-apex_art_data_file
diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te
index c977c29..c8a2bb6 100644
--- a/prebuilts/api/34.0/public/domain.te
+++ b/prebuilts/api/34.0/public/domain.te
@@ -448,7 +448,7 @@
neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+neverallow { domain -recovery } { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
diff --git a/private/apexd.te b/private/apexd.te
index b62e6e6..fb67865 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -190,7 +190,7 @@
# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+neverallow { domain -apexd -init -otapreopt_chroot -recovery } apex_mnt_dir:dir { mounton };
# Allow for use in postinstall
allow apexd otapreopt_chroot:fd use;
diff --git a/private/domain.te b/private/domain.te
index 2f107dd..63eaf30 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -358,6 +358,7 @@
-zygote
userdebug_or_eng(`-mediaextractor')
userdebug_or_eng(`-mediaswcodec')
+ -recovery
} {
file_type
-system_file_type
@@ -432,6 +433,7 @@
neverallow {
domain
-appdomain
+ -recovery
} {
data_file_type
-apex_art_data_file
diff --git a/public/domain.te b/public/domain.te
index c336d5b..d6ea7ab 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -459,7 +459,7 @@
neverallow domain device:chr_file { open read write };
# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+neverallow { domain -recovery } { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;