tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
16820 commits 1 branch 0 tags 50 MiB
Commit graph

10 commits

Author SHA1 Message Date
David Anderson
bf0bf05a0c Allow BLKIOMIN and BLKALIGNOFF ioctls to the super device in fastbootd. 
These ioctls are similar to BLKGETSIZE64; they return benign information
about the partition's alignment, and are used by liblp to optimally
align dynamic partition extents.

The system_block_device is included here because on retrofit devices,
the "super" partition is mapped to the system partition.

Bug: 116802789
Test: fastboot flashall
Change-Id: I38282904828105cf5f16ce9d4b5884d2b0e89d38
 2018-10-30 15:44:03 -07:00
Nick Kralevich
392ac0fd53 fastbootd.te: Delete allowxperm statement 
system/sepolicy commit 4c8eaba75a, reviewed in
https://android-review.googlesource.com/c/platform/system/sepolicy/+/793958
started enforcing explicit ioctl permission checks for all block device
files. As part of that commit, the following lines were added to
domain.te:

  # If a domain has access to perform an ioctl on a block device, allow these
  # very common, benign ioctls
  allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };

In essence, if a domain is granted ioctl access to any device in
policy (for example, via adding "ioctl" to the allow rule, or by using
the macro "r_file_perms" which includes the ioctl permission), then the
two ioctls BLKGETSIZE64 and BLKSSZGET will be automatically allowed. As
such, it is redundent for a domain to explicitly request these two
ioctls.

Delete the now redundant allowxperm rule.

Test: policy compiles
Change-Id: I1964ed93a7c7601393cc9e2416f3640ea22db51b
 2018-10-22 10:01:10 -07:00
Hridya Valsaraju
2e645853ce Allow fastbootd to read endpoint descriptor for fastboot usb device 
Test: fastboot flashall
Bug: 78793464
Change-Id: I8e1e982e3a9e356738944df5bfa1e802794a6a25
 2018-10-12 13:33:42 -07:00
Hridya Valsaraju
073efc34e7 Allow fastbootd to wipe metadata. 
Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa
 2018-09-13 17:55:28 +00:00
Hridya Valsaraju
e9fcce5642 Fastbootd does not require read access to system and boot partitions 
Bug: 78793464
Test: fastboot flashall

Change-Id: I5b65b818dc43a01f90a38202e3a1b810fef70ca8
 2018-09-07 00:09:34 +00:00
Hridya Valsaraju
f97026db4a Allow fastbootd to wipe userdata. 
This is needed for flashall -w to wipe userdata.
Bug: 113648914
Test: fastboot erase userdata

Change-Id: I7e89cf885c9a67c78de67b79ed16af7e50104bf7
 2018-09-05 13:40:30 -07:00
Hridya Valsaraju
4ae8fe9b84 Define 'super_block_device' type 
Bug: 78793464
Test: fastboot getvar partition-size:super

'super_block_device' corresponds to the super partition
required for flashing dynamic partitions.

Change-Id: I323634b6797ead7c5face117a7028bf9ab947aea
 2018-08-20 10:55:03 -07:00
Jerry Zhang
1d85efa9f4 Add sepolicy for fastbootd 
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I80c54d4eaf3b94a1fe26d2280af4e57cb1593790
 2018-08-15 08:45:22 -07:00
Florian Mayer
c2ab15b798 Revert "Add sepolicy for fastbootd" 
This reverts commit 0fd3ed3b8b.

Reason for revert: Broke user builds.

Change-Id: If95f1a25d22425a5a2b68a02d1561352fb5a52f0
 2018-08-15 09:38:40 +00:00
Jerry Zhang
0fd3ed3b8b Add sepolicy for fastbootd 
Also allow adb and fastboot to talk to recovery
through recovery_socket. This enables changing
between modes with usb commands.

Test: No selinux denials
Bug: 78793464
Change-Id: I1f97659736429fe961319c642f458c80f199ffb4
 2018-08-14 20:21:36 +00:00