Merge "selinux rules for loading incremental module" am: 3cf7d1b5ee
am: 8c020eec71
am: 0c789cc584
Change-Id: Ifdd7e864f7d9fee65aac576272a1fedb8ee88e71
This commit is contained in:
commit
d951bab082
5 changed files with 10 additions and 0 deletions
|
@ -89,6 +89,7 @@
|
|||
vehicle_hal_prop
|
||||
vendor_apex_file
|
||||
vendor_boringssl_self_test
|
||||
vendor_incremental_module
|
||||
vendor_install_recovery
|
||||
vendor_install_recovery_exec
|
||||
virtual_ab_prop))
|
||||
|
|
|
@ -372,6 +372,7 @@
|
|||
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
|
||||
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
|
||||
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
|
||||
(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
|
||||
|
||||
# HAL location
|
||||
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
|
|
|
@ -1004,6 +1004,7 @@ full_treble_only(`
|
|||
-vendor_overlay_file
|
||||
-vendor_public_lib_file
|
||||
-vendor_task_profiles_file
|
||||
-vendor_incremental_module
|
||||
-vndk_sp_file
|
||||
}:file *;
|
||||
')
|
||||
|
|
|
@ -210,6 +210,8 @@ type vendor_overlay_file, vendor_file_type, file_type;
|
|||
# Type for all vendor public libraries. These libs should only be exposed to
|
||||
# apps. ABI stability of these libs is vendor's responsibility.
|
||||
type vendor_public_lib_file, vendor_file_type, file_type;
|
||||
# Default type for incremental file system driver
|
||||
type vendor_incremental_module, vendor_file_type, file_type;
|
||||
|
||||
# Input configuration
|
||||
type vendor_keylayout_file, vendor_file_type, file_type;
|
||||
|
|
|
@ -52,6 +52,11 @@ allowxperm vold data_file_type:dir ioctl {
|
|||
FS_IOC_REMOVE_ENCRYPTION_KEY
|
||||
};
|
||||
|
||||
# Allow to load incremental file system driver
|
||||
allow vold self:capability sys_module;
|
||||
allow vold vendor_incremental_module:file r_file_perms;
|
||||
allow vold vendor_incremental_module:system module_load;
|
||||
|
||||
# Only vold and init should ever set file-based encryption policies.
|
||||
neverallowxperm {
|
||||
domain
|
||||
|
|
Loading…
Reference in a new issue