Merge "Remove some FDE rules and update comments" am: b83a6d1168
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2065887 Change-Id: Ib41b61ff06a839653c3608708be382ea0ca65e49 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Eric Biggers
Automerger Merge Worker
commit
fa1f9cb2b8
5 changed files with 16 additions and 26 deletions
|
|
@ -24,7 +24,6 @@ get_prop(vold, storage_config_prop);
|
|||
get_prop(vold, incremental_prop);
|
||||
get_prop(vold, gsid_prop);
|
||||
|
||||
set_prop(vold, vold_post_fs_data_prop)
|
||||
set_prop(vold, vold_prop)
|
||||
set_prop(vold, vold_status_prop)
|
||||
set_prop(vold, powerctl_prop)
|
||||
|
|
|
|||
|
|
@ -79,36 +79,35 @@ type root_block_device, dev_type;
|
|||
type frp_block_device, dev_type;
|
||||
|
||||
# System block device mounted on /system.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type system_block_device, dev_type;
|
||||
|
||||
# Recovery block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type recovery_block_device, dev_type;
|
||||
|
||||
# boot block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type boot_block_device, dev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type userdata_block_device, dev_type;
|
||||
|
||||
# Cache block device mounted on /cache.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type cache_block_device, dev_type;
|
||||
|
||||
# Block device for any swap partition.
|
||||
type swap_block_device, dev_type;
|
||||
|
||||
# Metadata block device used for encryption metadata.
|
||||
# Assign this type to the partition specified by the encryptable=
|
||||
# mount option in your fstab file in the entry for userdata.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Metadata block device mounted on /metadata, used for encryption metadata and
|
||||
# various other purposes.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type metadata_block_device, dev_type;
|
||||
|
||||
# The 'misc' partition used by recovery and A/B.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type misc_block_device, dev_type;
|
||||
|
||||
# 'super' partition to be used for logical partitioning.
|
||||
|
|
|
|||
|
|
@ -144,7 +144,7 @@ allow init configfs:{ file lnk_file } create_file_perms;
|
|||
# /metadata
|
||||
allow init metadata_file:dir mounton;
|
||||
|
||||
# Use tmpfs as /data, used for booting when /data is encrypted
|
||||
# Run restorecon on /dev
|
||||
allow init tmpfs:dir relabelfrom;
|
||||
|
||||
# Create directories under /dev/cpuctl after chowning it to system.
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# vdc spawned from init for the following services:
|
||||
# defaultcrypto
|
||||
# encrypt
|
||||
# vdc is a helper program for making Binder calls to vold. It is spawned from
|
||||
# init for various reasons, such as initializing file-based encryption and
|
||||
# metadata encryption, and managing userdata checkpointing.
|
||||
#
|
||||
# We also transition into this domain from dumpstate, when
|
||||
# collecting bug reports.
|
||||
|
|
|
|||
|
|
@ -168,17 +168,9 @@ allow vold fsck_exec:file { r_file_perms execute };
|
|||
allow vold fscklogs:dir rw_dir_perms;
|
||||
allow vold fscklogs:file create_file_perms;
|
||||
|
||||
#
|
||||
# Rules to support encrypted fs support.
|
||||
#
|
||||
|
||||
# Unmount and mount the fs.
|
||||
# Mount and unmount filesystems.
|
||||
allow vold labeledfs:filesystem { mount unmount remount };
|
||||
|
||||
# Access /efs/userdata_footer.
|
||||
# XXX Split into a separate type?
|
||||
allow vold efs_file:file rw_file_perms;
|
||||
|
||||
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
||||
allow vold {
|
||||
system_data_file
|
||||
|
|
@ -210,7 +202,7 @@ allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|||
allow vold fusectlfs:file rw_file_perms;
|
||||
allow vold fusectlfs:dir rw_dir_perms;
|
||||
|
||||
# Handle wake locks (used for device encryption)
|
||||
# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
|
||||
wakelock_use(vold)
|
||||
|
||||
# Allow vold to publish a binder service and make binder calls.
|
||||
|
|
@ -272,7 +264,7 @@ allow vold app_fusefs:filesystem { mount unmount };
|
|||
allow vold app_fuse_file:dir rw_dir_perms;
|
||||
allow vold app_fuse_file:file { read write open getattr append };
|
||||
|
||||
# MoveTask.cpp executes cp and rm
|
||||
# MoveStorage.cpp executes cp and rm
|
||||
allow vold toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Prepare profile dir for users.
|
||||
|
|
|
|||
Loading…
Reference in a new issue