From 549e3c6d91ce214739ce52b1b807ea37f1574bb1 Mon Sep 17 00:00:00 2001 From: David Anderson Date: Fri, 30 Aug 2019 13:55:50 -0700 Subject: [PATCH] Add sepolicy for IBootControl 1.1 and the default HAL. Bug: 138861550 Test: manual test Change-Id: Ibc9a55266a2726cb8dc8550be0264db30b66109e --- vendor/file_contexts | 2 +- vendor/hal_bootctl_default.te | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/vendor/file_contexts b/vendor/file_contexts index a63dd8f1b..2d25677e6 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -10,7 +10,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service u:object_r:hal_camera_default_exec:s0 diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index ca30e584c..e61ba6b86 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -4,3 +4,15 @@ hal_server_domain(hal_bootctl_default, hal_bootctl) type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_bootctl_default) + +# Needed for ReadDefaultFstab. +allow hal_bootctl_default proc_cmdline:file r_file_perms; +allow hal_bootctl_default sysfs_dt_firmware_android:dir search; + +# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting +# a GSI-corrected fstab. +dontaudit hal_bootctl_default metadata_file:dir search; + +# Needed for reading/writing misc partition. +allow hal_bootctl_default block_device:dir search; +allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;