From 42c05cfcc172bc61be4b0be630c9621576d108d9 Mon Sep 17 00:00:00 2001 From: Tao Bao Date: Thu, 16 May 2019 14:44:11 -0700 Subject: [PATCH] Add vendor_misc_writer. The space between 2K and 16K in /misc is currently reserved for vendor's use (as claimed in bootloader_message.h), but we don't allow vendor module to access misc_block_device other than vendor_init. The change in the topic adds a `misc_writer` tool as a vendor module, which allows writing data to the vendor space to bridge the gap in the short term. This CL adds matching labels to grant access. Long term goal is to move /misc as vendor owned, then to provide HAL access from core domain (b/132906936). Bug: 132906936 Test: Build crosshatch that includes misc_writer module. Invoke /vendor/bin/misc_writer to write data to /misc. Change-Id: I4c18d78171a839ae5497b3a61800193ef9e51b3b --- private/compat/28.0/28.0.ignore.cil | 2 ++ private/file_contexts | 1 + public/domain.te | 1 + public/vendor_misc_writer.te | 11 +++++++++++ vendor/vendor_misc_writer.te | 1 + 5 files changed, 16 insertions(+) create mode 100644 public/vendor_misc_writer.te create mode 100644 vendor/vendor_misc_writer.te diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index efdbd5d50..b7466ac0a 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -143,6 +143,8 @@ vendor_idc_file vendor_keychars_file vendor_keylayout_file + vendor_misc_writer + vendor_misc_writer_exec vendor_task_profiles_file vrflinger_vsync_service watchdogd_tmpfs)) diff --git a/private/file_contexts b/private/file_contexts index 9e7bba7bd..dab1026b4 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -353,6 +353,7 @@ /(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0 /vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0 +/vendor/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0 # HAL location /(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0 diff --git a/public/domain.te b/public/domain.te index bfc186094..c68f5abcf 100644 --- a/public/domain.te +++ b/public/domain.te @@ -603,6 +603,7 @@ neverallow { -uncrypt -update_engine -vendor_init + -vendor_misc_writer -vold -recovery -ueventd diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te new file mode 100644 index 000000000..7093fec22 --- /dev/null +++ b/public/vendor_misc_writer.te @@ -0,0 +1,11 @@ +# vendor_misc_writer +type vendor_misc_writer, domain; +type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type; + +# Raw writes to misc_block_device +allow vendor_misc_writer misc_block_device:blk_file w_file_perms; +allow vendor_misc_writer block_device:dir r_dir_perms; + +# Silence the denial when calling libfstab's ReadDefaultFstab. +dontaudit vendor_misc_writer proc_cmdline:file read; +dontaudit vendor_misc_writer metadata_file:dir search; diff --git a/vendor/vendor_misc_writer.te b/vendor/vendor_misc_writer.te new file mode 100644 index 000000000..245749e36 --- /dev/null +++ b/vendor/vendor_misc_writer.te @@ -0,0 +1 @@ +init_daemon_domain(vendor_misc_writer)