From 8188830eeb3501bf650afaf50e61d08d47a01c34 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Tue, 31 Mar 2015 18:10:19 -0700 Subject: [PATCH] sgdisk: devpts and reload partition tables. Add rules to let sgdisk read/write to pts when forked from vold. avc: denied { read write } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:sgdisk:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 Also add rule to let it kick kernel to reload partition tables after we finish editing them. Without this capability, it leaves this message and violation: Warning: The kernel is still using the old partition table. The new table will be used at the next reboot. GPT data structures destroyed! You may now partition the disk using fdisk or other utilities. avc: denied { sys_admin } for capability=21 scontext=u:r:sgdisk:s0 tcontext=u:r:sgdisk:s0 tclass=capability permissive=0 Change-Id: If26a40f9fd3b1ab2c50156ae8bdb128676521b57 --- sgdisk.te | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sgdisk.te b/sgdisk.te index 66656b62e..8a689a113 100644 --- a/sgdisk.te +++ b/sgdisk.te @@ -6,10 +6,16 @@ type sgdisk_exec, exec_type, file_type; allow sgdisk block_device:dir search; allow sgdisk vold_device:blk_file rw_file_perms; +# Inherit and use pty created by android_fork_execvp() +allow sgdisk devpts:chr_file { read write ioctl getattr }; + # Allow stdin/out back to vold allow sgdisk vold:fd use; allow sgdisk vold:fifo_file { read write getattr }; +# Used to probe kernel to reload partition tables +allow sgdisk self:capability sys_admin; + # Only allow entry from vold neverallow { domain -vold } sgdisk:process transition; neverallow domain sgdisk:process dyntransition;