sepolicy: More rules for recovery

Change-Id: Ie50c04eb83cb9c62f679a1c1aa2ac482af159f7e

3 files changed, 18 insertions, 0 deletions

diff --git a/sepolicy/property.te b/sepolicy/property.te
index 6892010..fe7d9b2 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -1 +1,2 @@
 type adbtcp_prop, property_type;
+type recovery_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index e5566dc..b3a3540 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -1 +1,3 @@
 service.adb.tcp.port          u:object_r:adbtcp_prop:s0
+recovery.perf.mode            u:object_r:recovery_prop:s0
+adb.secure                    u:object_r:recovery_prop:s0
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
index 06bef3f..9d17beb 100644
--- a/sepolicy/recovery.te
+++ b/sepolicy/recovery.te
@@ -1,8 +1,23 @@
+recovery_only(`
+
 # Secure adb (setup_adbd)
 allow adbd adb_keys_file:dir search;
+allow recovery adb_keys_file:dir r_dir_perms;
 allow recovery adb_keys_file:file r_file_perms;
 allow recovery shell_prop:property_service set;
 
 # Recovery dialogs
 unix_socket_connect(recovery, vold, vold)
 allow recovery tmpfs:sock_file create_file_perms;
+
+# Read packages.xml
+allow recovery system_data_file:file r_file_perms;
+
+# Manage fstab and /adb_keys
+allow recovery rootfs:file create_file_perms;
+allow recovery rootfs:dir { write add_name };
+
+# Control properties
+allow recovery recovery_prop:property_service set;
+
+')