tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Uncrypt: Allow uncrypt to write on ota_package_file.

Browse source 
This adds sepolicy rule to allow uncrypt module to write
on OTA zip (for f2fs_pin_file functionality).

Also, add a few dontaudit rules to suppress harmless denials.

Denials:
I uncrypt : type=1400 audit(0.0:177): avc: denied { write } for name="update.zip" dev="dm-10" ino=7727 scontext=u:r:uncrypt:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=0

I uncrypt : type=1400 audit(0.0:175): avc: denied { search } for name="/" dev="sda9" ino=2 scontext=u:r:uncrypt:s0 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0

I uncrypt : type=1400 audit(0.0:176): avc: denied { search } for name="gsi" dev="sda9" ino=19 scontext=u:r:uncrypt:s0 tcontext=u:object_r:gsi_metadata_file:s0 tclass=dir permissive=0

Bug: 158070965
Cherry-Pick-Of: 916bd874d6
Merged-In: I473c5ee218c32b481040ef85caca907a48aadee6
Change-Id: I473c5ee218c32b481040ef85caca907a48aadee6
This commit is contained in:
P.Adarsh Reddy 2020-06-19 20:53:48 +05:30 committed by Paul Crowley
parent 6bdafed310
commit 5491d7e26c
2 changed files with 12 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
prebuilts/api/30.0/public/uncrypt.te
View file

@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
# Read OTA zip file at /data/ota_package/.
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file r_file_perms;
allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@ -40,3 +40,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
dontaudit uncrypt gsi_metadata_file:dir search;
dontaudit uncrypt metadata_file:dir search;

8
public/uncrypt.te
View file

@ -15,9 +15,9 @@ allow uncrypt cache_file:dir search;
allow uncrypt cache_recovery_file:dir rw_dir_perms;
allow uncrypt cache_recovery_file:file create_file_perms;
# Read OTA zip file at /data/ota_package/.
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
allow uncrypt ota_package_file:dir r_dir_perms;
allow uncrypt ota_package_file:file r_file_perms;
allow uncrypt ota_package_file:file rw_file_perms;
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
@ -40,3 +40,7 @@ allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
# Suppress the denials coming from ReadDefaultFstab call.
dontaudit uncrypt gsi_metadata_file:dir search;
dontaudit uncrypt metadata_file:dir search;