diff options
| author | Tao Bao <tbao@google.com> | 2019-06-19 14:30:11 -0700 |
|---|---|---|
| committer | Jeff Vander Stoep <jeffv@google.com> | 2020-03-30 11:49:35 +0200 |
| commit | ab38d7073e15353cedfbcf8e79dfab8a77f79129 (patch) | |
| tree | 291ebf28d8cb2326fc3f2f108293a408a9ca4786 | |
| parent | 4ee8089356aca550ed358ee14e6aa1933c52bd15 (diff) | |
| download | android_system_sepolicy-ab38d7073e15353cedfbcf8e79dfab8a77f79129.tar.gz android_system_sepolicy-ab38d7073e15353cedfbcf8e79dfab8a77f79129.tar.bz2 android_system_sepolicy-ab38d7073e15353cedfbcf8e79dfab8a77f79129.zip | |
Ignore the denial due to vendor_misc_writer reading DT fstab.
This CL addresses the following denial, when vendor_misc_writer tries to
read DT fstab (i.e. device tree fstab) for /misc entry.
avc: denied { search } for comm="misc_writer" name="android" dev="sysfs" ino=17456 scontext=u:r:vendor_misc_writer:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir
DT fstab was used for devices shipped prior to Q, for early-mounting
partitions (e.g. /system, /vendor, /product), which has been disallowed
for Q launch devices. vendor_misc_writer is a new module added since Q,
so it doesn't need to worry about the legacy code path; in practice
there's no benefit of putting /misc entry into DT fstab either.
Bug: 134122603
Bug: 152718206
Test: Build and flash taimen with the change that enables
vendor_misc_writer. Check that it no longer gives the above denial
during boot.
Change-Id: Id2fb206706f7cd19a4cde2701e4155bfc03f01b4
| -rw-r--r-- | prebuilts/api/29.0/public/vendor_misc_writer.te | 4 | ||||
| -rw-r--r-- | public/vendor_misc_writer.te | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/prebuilts/api/29.0/public/vendor_misc_writer.te b/prebuilts/api/29.0/public/vendor_misc_writer.te index 7093fec2..dee99413 100644 --- a/prebuilts/api/29.0/public/vendor_misc_writer.te +++ b/prebuilts/api/29.0/public/vendor_misc_writer.te @@ -6,6 +6,8 @@ type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; allow vendor_misc_writer misc_block_device:blk_file w_file_perms; allow vendor_misc_writer block_device:dir r_dir_perms; -# Silence the denial when calling libfstab's ReadDefaultFstab. +# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to +# load DT fstab. dontaudit vendor_misc_writer proc_cmdline:file read; dontaudit vendor_misc_writer metadata_file:dir search; +dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te index 7093fec2..dee99413 100644 --- a/public/vendor_misc_writer.te +++ b/public/vendor_misc_writer.te @@ -6,6 +6,8 @@ type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; allow vendor_misc_writer misc_block_device:blk_file w_file_perms; allow vendor_misc_writer block_device:dir r_dir_perms; -# Silence the denial when calling libfstab's ReadDefaultFstab. +# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to +# load DT fstab. dontaudit vendor_misc_writer proc_cmdline:file read; dontaudit vendor_misc_writer metadata_file:dir search; +dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search; |