From 9853c7522d3e81d10c3410b1ea272b385905072e Mon Sep 17 00:00:00 2001 From: David Anderson Date: Tue, 5 Nov 2019 14:21:22 -0800 Subject: [PATCH] Allow reading dt fstab in boot control HAL. Fixes the following denial: type=1400 audit(0.0:4): avc: denied { read } for comm="android.hardwar" name="compatible" dev="sysfs" ino=28205 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=file permissive=0 This permission is needed for ReadDefaultFstab, which searches the device tree for fstab entries. Devices that use dt-fstab may fail to find the misc block device. Bug: 143589455 Test: manual test Change-Id: Ied52fe9b1056d26b4dd00811c4690fa4c505fae8 --- vendor/hal_bootctl_default.te | 1 + 1 file changed, 1 insertion(+) diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index e61ba6b86..ac30370c3 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -8,6 +8,7 @@ init_daemon_domain(hal_bootctl_default) # Needed for ReadDefaultFstab. allow hal_bootctl_default proc_cmdline:file r_file_perms; allow hal_bootctl_default sysfs_dt_firmware_android:dir search; +allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms; # ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting # a GSI-corrected fstab.