Add vendor_misc_writer.
The space between 2K and 16K in /misc is currently reserved for vendor's
use (as claimed in bootloader_message.h), but we don't allow vendor
module to access misc_block_device other than vendor_init.
The change in the topic adds a `misc_writer` tool as a vendor module,
which allows writing data to the vendor space to bridge the gap in the
short term. This CL adds matching labels to grant access.
Long term goal is to move /misc as vendor owned, then to provide HAL
access from core domain (b/132906936).
Bug: 132906936
Test: Build crosshatch that includes misc_writer module. Invoke
/vendor/bin/misc_writer to write data to /misc.
Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b
This commit is contained in:
Tao Bao
parent
264a929edb
commit
42c05cfcc1
5 changed files with 16 additions and 0 deletions
|
|
@ -143,6 +143,8 @@
|
|||
vendor_idc_file
|
||||
vendor_keychars_file
|
||||
vendor_keylayout_file
|
||||
vendor_misc_writer
|
||||
vendor_misc_writer_exec
|
||||
vendor_task_profiles_file
|
||||
vrflinger_vsync_service
|
||||
watchdogd_tmpfs))
|
||||
|
|
|
|||
|
|
@ -353,6 +353,7 @@
|
|||
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
|
||||
|
||||
/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
|
||||
/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
|
||||
|
||||
# HAL location
|
||||
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
|
|
|
|||
|
|
@ -603,6 +603,7 @@ neverallow {
|
|||
-uncrypt
|
||||
-update_engine
|
||||
-vendor_init
|
||||
-vendor_misc_writer
|
||||
-vold
|
||||
-recovery
|
||||
-ueventd
|
||||
|
|
|
|||
11
public/vendor_misc_writer.te
Normal file
11
public/vendor_misc_writer.te
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
# vendor_misc_writer
|
||||
type vendor_misc_writer, domain;
|
||||
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
|
||||
|
||||
# Raw writes to misc_block_device
|
||||
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
|
||||
allow vendor_misc_writer block_device:dir r_dir_perms;
|
||||
|
||||
# Silence the denial when calling libfstab's ReadDefaultFstab.
|
||||
dontaudit vendor_misc_writer proc_cmdline:file read;
|
||||
dontaudit vendor_misc_writer metadata_file:dir search;
|
||||
1
vendor/vendor_misc_writer.te
vendored
Normal file
1
vendor/vendor_misc_writer.te
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
init_daemon_domain(vendor_misc_writer)
|
||||
Loading…
Reference in a new issue