intro misctrl

Generic binary for managing the misc partition. Bug: 317262681 Test: boot, check bugreport Change-Id: Ib172d101d68409f2500b507df50b02953c392448
2024-02-16 22:32:02 +00:00 · 2024-02-16 22:32:02 +00:00 · b4f42d449b
commit b4f42d449b
parent bbff9f5ea1
4 changed files with 18 additions and 0 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -405,6 +405,7 @@
 /system/bin/lpdumpd                                               lpdumpd_exec
 /system/bin/rss_hwm_reset                                         rss_hwm_reset_exec
 /system/bin/perfetto                                              perfetto_exec
+/system/bin/misctrl                                               misctrl_exec
 /system/bin/mtectrl                                               mtectrl_exec
 /system/bin/traced                                                traced_exec
 /system/bin/traced_perf                                           traced_perf_exec
--- a/private/domain.te
+++ b/private/domain.te
@ -197,6 +197,7 @@ neverallow {
  -recovery
  -ueventd
  -mtectrl
+  -misctrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };

 # Limit ability to ptrace or read sensitive /proc/pid files of processes
--- a/private/file_contexts
+++ b/private/file_contexts
@ -332,6 +332,7 @@
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/mtectrl         u:object_r:mtectrl_exec:s0
+/system/bin/misctrl         u:object_r:misctrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0
--- a/private/misctrl.te
+++ b/private/misctrl.te
@ -0,0 +1,15 @@
+# binary for generic misc partition management
+type misctrl, domain, coredomain;
+type misctrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(misctrl)
+
+allow misctrl misc_block_device:blk_file rw_file_perms;
+allow misctrl block_device:dir r_dir_perms;
+read_fstab(misctrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit misctrl sysfs_dt_firmware_android:dir search;
+dontaudit misctrl vendor_property_type:file read;