Merge "Allow fastbootd to mount /metadata in recovery." am: deef325f8f am: 8b039a7b43

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1674731 Change-Id: I81ddceeec52803ce791760a4fe9a7146552e7417
2021-05-06 23:39:43 +00:00 · 2021-05-06 23:39:43 +00:00 · e408a10f4a
commit e408a10f4a
parent c573c46b0a 8b039a7b43
3 changed files with 5 additions and 3 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -359,7 +359,7 @@ neverallow ~{
 neverallow {
    domain
    -apexd
-    recovery_only(`userdebug_or_eng(`-fastbootd')')
+    recovery_only(`-fastbootd')
    -init
    -kernel
    -otapreopt_chroot
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@ -38,4 +38,7 @@ recovery_only(`

  # Get fastbootd protocol property
  get_prop(fastbootd, fastbootd_protocol_prop)
+
+  # Mount /metadata to interact with Virtual A/B snapshots.
+  allow fastbootd labeledfs:filesystem { mount unmount };
 ')
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@ -48,7 +48,7 @@ recovery_only(`
  # libfiemap.
  allow fastbootd metadata_block_device:blk_file r_file_perms;
  allow fastbootd {rootfs tmpfs}:dir mounton;
-  allow fastbootd metadata_file:dir { search getattr };
+  allow fastbootd metadata_file:dir { search getattr mounton };
  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
  allow fastbootd gsi_metadata_file_type:file create_file_perms;

@ -97,7 +97,6 @@ recovery_only(`
      vendor_file_type
    }:{ file lnk_file } unlink;
    allow fastbootd tmpfs:dir rw_dir_perms;
-    allow fastbootd labeledfs:filesystem { mount unmount };
    # Fetch vendor_boot partition
    allow fastbootd boot_block_device:blk_file r_file_perms;
  ')