Merge "Add vendor_misc_writer."

am: ccf8af80b0

Change-Id: Ie5058a9a602f6b562e833198ad292ea84a5f31e5

private/compat/28.0/28.0.ignore.cil

@@ -143,6 +143,8 @@
     vendor_idc_file
     vendor_keychars_file
     vendor_keylayout_file
+    vendor_misc_writer
+    vendor_misc_writer_exec
     vendor_task_profiles_file
     vrflinger_vsync_service
     watchdogd_tmpfs))

private/file_contexts

@@ -353,6 +353,7 @@
 /(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
 
 /vendor/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
+/vendor/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0

public/domain.te

@@ -603,6 +603,7 @@ neverallow {
   -uncrypt
   -update_engine
   -vendor_init
+  -vendor_misc_writer
   -vold
   -recovery
   -ueventd

public/vendor_misc_writer.te

@@ -0,0 +1,11 @@
+# vendor_misc_writer
+type vendor_misc_writer, domain;
+type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
+
+# Raw writes to misc_block_device
+allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
+allow vendor_misc_writer block_device:dir r_dir_perms;
+
+# Silence the denial when calling libfstab's ReadDefaultFstab.
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;

vendor/vendor_misc_writer.te

@@ -0,0 +1 @@
+init_daemon_domain(vendor_misc_writer)