tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

remount: allow bootanimation to run animation from oem

Browse source 
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.

This prevents failure to read the bootanimation on oem if
partition has been remounted.

After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc:  denied  { read } for  pid=2820 comm="bootanimation" name="media"
   dev="sda75" ino=152 scontext=u:r:bootanim:s0
   tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0

After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc:  denied  { read } for  pid=2838 comm="bootanimation" name="media"
   dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
   tclass=dir permissive=0

Bug: 324437684
Test: adb remount
      replace /oem/media/bootanimation.zip with custom animation
      adb reboot
      confirm that expected bootanimation is played
      confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
This commit is contained in:
Håkan Kvist 2024-02-08 16:21:06 +01:00
parent 95d371bcfd
commit e38af22c5e
1 changed files with 1 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
public/bootanim.te
View file

@ -17,8 +17,7 @@ allow bootanim gpu_device:dir r_dir_perms;
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
allow bootanim oemfs:dir search;
allow bootanim oemfs:file r_file_perms;
r_dir_file(bootanim, oemfs);
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;