tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add proc_cmdline read permission to read_fstab

Browse source 
ReadDefaultFstab() calls fs_mgr_get_boot_config() which could read
/proc/bootconfig and /proc/cmdline.

Bug: 225310919
Test: TH presubmit
Change-Id: Ibe66a41d0d74d7b71dc70436af68b7a7eed721b6
This commit is contained in:
Yi-Yo Chiang 2022-03-20 16:35:19 +08:00
parent b93f26fd89
commit cdd95be894
2 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/gsid.te
View file

@ -48,7 +48,7 @@ r_dir_file(gsid, sysfs_fs_f2fs)
# Needed to read fstab, which is used to validate that system verity does not
# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
# to get the A/B slot suffix).
allow gsid proc_cmdline:file r_file_perms;
read_fstab(gsid)
allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
allow gsid sysfs_dt_firmware_android:file r_file_perms;

2
public/te_macros
View file

@ -1023,7 +1023,7 @@ define(`vendor_public_prop', `define_prop($1, vendor, public)')
define(`read_fstab', `
allow $1 { metadata_file gsi_metadata_file_type }:dir search;
allow $1 gsi_public_metadata_file:file r_file_perms;
allow $1 proc_bootconfig:file r_file_perms;
allow $1 { proc_bootconfig proc_cmdline }:file r_file_perms;
')
######################################