platform_system_sepolicy/private/remount.te

type remount, domain, coredomain;
type remount_exec, system_file_type, exec_type, file_type;

userdebug_or_eng(`
  # Allow init to run clean_scratch_files and do auto domain transfer.
  init_daemon_domain(remount)

  # Allow talking to gsid.
  binder_use(remount)
  allow remount gsi_service:service_manager find;
  binder_call(remount, gsid)

  # Allow searching for /metadata/gsi/remount/lp_metadata.
  allow remount { metadata_file gsi_metadata_file_type }:dir search;

  # Allow remount to flip the overlayfs bit in the super partition.
  # This requires being able to read fstab, find /dev/block/by-name/super,
  # and read-write super.
  r_dir_file(remount, sysfs_dt_firmware_android)
  allow remount proc_bootconfig:file r_file_perms;
  allow remount proc_cmdline:file r_file_perms;
  allow remount block_device:dir r_dir_perms;
  allow remount super_block_device_type:blk_file rw_file_perms;
  allowxperm remount super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
')
Add remount.te to allow adb remount-related operations * init_daemon_domain because clean_scratch_files is executed by init * gsid related plumbing for libfs_mgr_binder Bug: 204836146 Test: Presubmit Change-Id: Idd7eacd577f538d194252174ab1e3d8396f08fb1 2021-11-02 15:08:00 +01:00			`type remount, domain, coredomain;`
			`type remount_exec, system_file_type, exec_type, file_type;`

			userdebug_or_eng(`
			`# Allow init to run clean_scratch_files and do auto domain transfer.`
			`init_daemon_domain(remount)`

			`# Allow talking to gsid.`
			`binder_use(remount)`
			`allow remount gsi_service:service_manager find;`
			`binder_call(remount, gsid)`

			`# Allow searching for /metadata/gsi/remount/lp_metadata.`
			`allow remount { metadata_file gsi_metadata_file_type }:dir search;`
Allow remount to update the super partition. "adb remount" runs the remount command, which needs to be able to update bits in the super partition metadata. This change only affects userdebug_or_eng policy. Bug: 297923468 Test: adb-remount-test.sh Change-Id: Ia78d4b0ea942a139c8a4070dc63a0eed218e3e18 2023-12-13 07:16:03 +01:00
			`# Allow remount to flip the overlayfs bit in the super partition.`
			`# This requires being able to read fstab, find /dev/block/by-name/super,`
			`# and read-write super.`
			`r_dir_file(remount, sysfs_dt_firmware_android)`
			`allow remount proc_bootconfig:file r_file_perms;`
			`allow remount proc_cmdline:file r_file_perms;`
			`allow remount block_device:dir r_dir_perms;`
			`allow remount super_block_device_type:blk_file rw_file_perms;`
			`allowxperm remount super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };`
Add remount.te to allow adb remount-related operations * init_daemon_domain because clean_scratch_files is executed by init * gsid related plumbing for libfs_mgr_binder Bug: 204836146 Test: Presubmit Change-Id: Idd7eacd577f538d194252174ab1e3d8396f08fb1 2021-11-02 15:08:00 +01:00			`')`