Merge "Allow access to the metadata partition for metadata encryption."
am: 68e31786f0
Change-Id: I8f64eb7829dac3433cb905b76c00c9f716987281
This commit is contained in:
commit
b263aa0093
4 changed files with 13 additions and 3 deletions
3
private/e2fs.te
Normal file
3
private/e2fs.te
Normal file
|
@ -0,0 +1,3 @@
|
|||
allow e2fs devpts:chr_file { read write };
|
||||
allow e2fs metadata_block_device:blk_file rw_file_perms;
|
||||
|
|
@ -1,3 +1,5 @@
|
|||
typeattribute fsck coredomain;
|
||||
|
||||
init_daemon_domain(fsck)
|
||||
|
||||
allow fsck metadata_block_device:blk_file rw_file_perms;
|
||||
|
|
|
@ -556,8 +556,14 @@ neverallow {
|
|||
# The metadata block device is set aside for device encryption and
|
||||
# verified boot metadata. It may be reset at will and should not
|
||||
# be used by other domains.
|
||||
neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
|
||||
{ append link rename write open read ioctl lock };
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
-recovery
|
||||
-vold
|
||||
-e2fs
|
||||
-fsck
|
||||
} metadata_block_device:blk_file { append link rename write open read ioctl lock };
|
||||
|
||||
# No domain other than recovery and update_engine can write to system partition(s).
|
||||
neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
|
||||
|
|
|
@ -44,7 +44,6 @@ allow fsck rootfs:dir r_dir_perms;
|
|||
neverallow fsck {
|
||||
boot_block_device
|
||||
frp_block_device
|
||||
metadata_block_device
|
||||
recovery_block_device
|
||||
root_block_device
|
||||
swap_block_device
|
||||
|
|
Loading…
Reference in a new issue