diff options
author | dcashman <dcashman@google.com> | 2014-09-08 13:11:01 -0700 |
---|---|---|
committer | Nick Kralevich <nnk@google.com> | 2014-09-19 18:58:02 -0700 |
commit | f37ce3f3e2ad68da61f709567cd166a83316e3f3 (patch) | |
tree | ed92c88a4ad2fd7559fcdd364401ac2835b24745 /system_server.te | |
parent | d298354e979faf3974b181f2152bd9e3e017574a (diff) | |
download | android_external_sepolicy-f37ce3f3e2ad68da61f709567cd166a83316e3f3.tar.gz android_external_sepolicy-f37ce3f3e2ad68da61f709567cd166a83316e3f3.tar.bz2 android_external_sepolicy-f37ce3f3e2ad68da61f709567cd166a83316e3f3.zip |
Add support for factory reset protection.
Address the following denials:
<12>[ 417.732129] type=1400 audit(365340.189:47): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
<12>[ 417.882126] type=1400 audit(365340.339:48): avc: denied { read } for pid=1737 comm="Binder_2" name="mmcblk0p18" dev="tmpfs" ino=12406 scontext=u:r:system_server:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
(cherrypick of commit 47bd7300a522fb9c7e233b6d040533ad16708a0e)
Bug: 16710840
Change-Id: I8cb5b4b17dffe14f0bf05d63eb8f6ab8d5c09f53
Diffstat (limited to 'system_server.te')
-rw-r--r-- | system_server.te | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/system_server.te b/system_server.te index 438d09d..020f2ab 100644 --- a/system_server.te +++ b/system_server.te @@ -386,10 +386,10 @@ allow system_server keystore:keystore_key { password_uid }; -# Allow system server to search and write to the persistent data block device -# This block device does not get wiped in a factory reset. -allow system_server persistent_data_block_device:blk_file rw_file_perms; +# Allow system server to search and write to the persistent factory reset +# protection partition. This block device does not get wiped in a factory reset. allow system_server block_device:dir search; +allow system_server frp_block_device:blk_file rw_file_perms; # Clean up old cgroups allow system_server cgroup:dir { remove_name rmdir }; |