diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil index 0c36aed13..dd8cc7f6d 100644 --- a/private/compat/30.0/30.0.ignore.cil +++ b/private/compat/30.0/30.0.ignore.cil @@ -86,6 +86,7 @@ memtrackproxy_service mm_events_config_prop music_recognition_service + mtectrl nfc_logs_data_file odrefresh odrefresh_exec diff --git a/private/file_contexts b/private/file_contexts index 351cd7c5f..6730c25a3 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -304,6 +304,7 @@ /system/bin/lpdumpd u:object_r:lpdumpd_exec:s0 /system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0 /system/bin/perfetto u:object_r:perfetto_exec:s0 +/system/bin/mtectrl u:object_r:mtectrl_exec:s0 /system/bin/traced u:object_r:traced_exec:s0 /system/bin/traced_perf u:object_r:traced_perf_exec:s0 /system/bin/traced_probes u:object_r:traced_probes_exec:s0 diff --git a/private/mtectrl.te b/private/mtectrl.te new file mode 100644 index 000000000..a89edda03 --- /dev/null +++ b/private/mtectrl.te @@ -0,0 +1,9 @@ +# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader. +type mtectrl_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(mtectrl) + +# mtectrl communicates the request to the bootloader via the misc partition. +allow mtectrl misc_block_device:blk_file w_file_perms; +allow mtectrl block_device:dir r_dir_perms; +read_fstab(mtectrl) diff --git a/public/domain.te b/public/domain.te index 799a2f1c5..5c7c18cce 100644 --- a/public/domain.te +++ b/public/domain.te @@ -627,6 +627,7 @@ neverallow { -vold -recovery -ueventd + -mtectrl } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock }; # Only (hw|vnd|)servicemanager should be able to register with binder as the context manager diff --git a/public/mtectrl.te b/public/mtectrl.te new file mode 100644 index 000000000..2fb8a960c --- /dev/null +++ b/public/mtectrl.te @@ -0,0 +1 @@ +type mtectrl, domain, coredomain;