Allow apexd to create symlink in /apex.
Bug: 115710947 Test: on device Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
This commit is contained in:
parent
247f061a65
commit
bab267a88f
4 changed files with 10 additions and 0 deletions
|
@ -29,6 +29,9 @@ allow apexd apex_mnt_dir:dir create_dir_perms;
|
||||||
# allow apexd to mount in /apex
|
# allow apexd to mount in /apex
|
||||||
allow apexd apex_mnt_dir:filesystem { mount unmount };
|
allow apexd apex_mnt_dir:filesystem { mount unmount };
|
||||||
allow apexd apex_mnt_dir:dir mounton;
|
allow apexd apex_mnt_dir:dir mounton;
|
||||||
|
# allow apexd to create symlinks in /apex
|
||||||
|
allow apexd apex_mnt_dir:lnk_file create_file_perms;
|
||||||
|
|
||||||
# Unmount and mount filesystems
|
# Unmount and mount filesystems
|
||||||
allow apexd labeledfs:filesystem { mount unmount };
|
allow apexd labeledfs:filesystem { mount unmount };
|
||||||
|
|
||||||
|
@ -40,3 +43,4 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
|
||||||
|
|
||||||
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
|
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
|
||||||
neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
|
neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
|
||||||
|
neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
|
||||||
|
|
|
@ -343,6 +343,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
|
||||||
# Under ASAN, /system/asan.options needs to be globally accessible.
|
# Under ASAN, /system/asan.options needs to be globally accessible.
|
||||||
with_asan(`allow domain system_asan_options_file:file r_file_perms;')
|
with_asan(`allow domain system_asan_options_file:file r_file_perms;')
|
||||||
|
|
||||||
|
# read APEX dir and stat any symlink pointing to APEXs.
|
||||||
|
allow domain apex_mnt_dir:dir search;
|
||||||
|
allow domain apex_mnt_dir:lnk_file r_file_perms;
|
||||||
|
|
||||||
###
|
###
|
||||||
### neverallow rules
|
### neverallow rules
|
||||||
###
|
###
|
||||||
|
|
|
@ -205,6 +205,7 @@ allow init {
|
||||||
|
|
||||||
allow init {
|
allow init {
|
||||||
file_type
|
file_type
|
||||||
|
-apex_mnt_dir
|
||||||
-app_data_file
|
-app_data_file
|
||||||
-exec_type
|
-exec_type
|
||||||
-iorapd_data_file
|
-iorapd_data_file
|
||||||
|
|
|
@ -78,6 +78,7 @@ allow vendor_init {
|
||||||
|
|
||||||
allow vendor_init {
|
allow vendor_init {
|
||||||
file_type
|
file_type
|
||||||
|
-apex_mnt_dir
|
||||||
-core_data_file_type
|
-core_data_file_type
|
||||||
-exec_type
|
-exec_type
|
||||||
-system_file_type
|
-system_file_type
|
||||||
|
|
Loading…
Reference in a new issue