tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

update_verifier: Allow searching /dev/block.

Browse source 
update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.

avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0

Bug: 29569601
Test: Device boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f
This commit is contained in:
Tao Bao 2016-06-22 12:16:47 -07:00 committed by Jeffrey Vander Stoep
parent 2c1b02eba6
commit 1e17dafc6d
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
update_verifier.te
View file

@ -5,4 +5,7 @@ type update_verifier_exec, exec_type, file_type;
init_daemon_domain(update_verifier)
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
# TODO: Add rules to allow update_verifier to read system_block_device.