tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow update_engine to inotify_add_watch dm-user device nodes.

Browse source 
inotify_add_watch requires read permissions and these were only granted
to the /dev/block/dm-user directory, not the device nodes.

Denial: avc:  denied  { read } for  pid=1918 comm="update_engine" name="product_b-user-cow" dev="tmpfs" ino=162 scontext=u:r:update_engine:s0 tcontext=u:object_r:dm_user_device:s0 tclass=chr_file permissive=0

Bug: 238572067
Test: apply OTA
Change-Id: I3fa7c9600873f4a2638fd140287511005f5aac1d
This commit is contained in:
David Anderson 2022-07-21 12:45:20 -07:00
parent 9617447817
commit b7bb3d0071
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
public/update_engine_common.te
View file

@ -72,6 +72,7 @@ allow update_engine_common dm_device:blk_file rw_file_perms;
# read /dev/dm-user, so that we can inotify wait for control devices to be
# asynchronously created by ueventd.
allow update_engine dm_user_device:dir r_dir_perms;
allow update_engine dm_user_device:chr_file r_file_perms;
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;