Merge changes from topic "sharedlib_in_recovery"
am: b6639b0f52
Change-Id: Ib8f626662a1e6e9de105bbbf973215e997079aea
This commit is contained in:
Jiyong Park
android-build-merger
commit
b585f6c028
3 changed files with 27 additions and 0 deletions
|
|
@ -103,3 +103,18 @@ neverallow kernel *:file { entrypoint execute_no_trans };
|
||||||
# Instead of adding dac_{read_search,override}, fix the unix permissions
|
# Instead of adding dac_{read_search,override}, fix the unix permissions
|
||||||
# on files being accessed.
|
# on files being accessed.
|
||||||
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
|
neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
|
||||||
|
|
||||||
|
# Allow the first-stage init (which is running in the kernel domain) to execute the
|
||||||
|
# dynamic linker when it re-executes /init to switch into the second stage.
|
||||||
|
# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
|
||||||
|
# before the domain is switched to the target domain. So, we need to allow the kernel
|
||||||
|
# domain (the source domain) to execute the dynamic linker (system_file type).
|
||||||
|
# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
|
||||||
|
# kernel older than 4.8.
|
||||||
|
allow kernel system_file:file execute;
|
||||||
|
# The label for the dynamic linker is rootfs in the recovery partition. This is because
|
||||||
|
# the recovery partition which is rootfs does not support xattr and thus labeling can't be
|
||||||
|
# done at build-time. All files are by default labeled as rootfs upon booting.
|
||||||
|
recovery_only(`
|
||||||
|
allow kernel rootfs:file execute;
|
||||||
|
')
|
||||||
|
|
|
||||||
|
|
@ -39,6 +39,12 @@ allow ueventd self:process setfscreate;
|
||||||
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
|
# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
|
||||||
allow ueventd proc_cmdline:file r_file_perms;
|
allow ueventd proc_cmdline:file r_file_perms;
|
||||||
|
|
||||||
|
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
|
||||||
|
# the dynamic linker and shared libraries.
|
||||||
|
recovery_only(`
|
||||||
|
allow ueventd rootfs:file { r_file_perms execute };
|
||||||
|
')
|
||||||
|
|
||||||
#####
|
#####
|
||||||
##### neverallow rules
|
##### neverallow rules
|
||||||
#####
|
#####
|
||||||
|
|
|
||||||
|
|
@ -155,6 +155,12 @@ allow vendor_init self:global_capability_class_set sys_admin;
|
||||||
# Raw writes to misc block device
|
# Raw writes to misc block device
|
||||||
allow vendor_init misc_block_device:blk_file w_file_perms;
|
allow vendor_init misc_block_device:blk_file w_file_perms;
|
||||||
|
|
||||||
|
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
|
||||||
|
# the dynamic linker and shared libraries.
|
||||||
|
recovery_only(`
|
||||||
|
allow vendor_init rootfs:file { r_file_perms execute };
|
||||||
|
')
|
||||||
|
|
||||||
not_compatible_property(`
|
not_compatible_property(`
|
||||||
set_prop(vendor_init, {
|
set_prop(vendor_init, {
|
||||||
property_type
|
property_type
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue