d25ccabd24
Restrictions introduced in vendor init mean that new devices
may not no longer exempt vendor init from writing to system_data_file.
This means we must introduce a new label for /data/vendor which
vendor_init may write to.
Bug: 73087047
Test: build and boot Taimen and Marlin. Complete SUW, enroll fingerprint
No new denials.
Change-Id: I65f904bb28952d4776aab947515947e14befbe34
18 lines
977 B
Text
18 lines
977 B
Text
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
|
|
|
|
allow vold_prepare_subdirs system_file:file execute_no_trans;
|
|
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|
allow vold_prepare_subdirs vold:fd use;
|
|
allow vold_prepare_subdirs vold:fifo_file { read write };
|
|
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override };
|
|
allow vold_prepare_subdirs self:process setfscreate;
|
|
allow vold_prepare_subdirs {
|
|
system_data_file
|
|
vendor_data_file
|
|
}:dir { open read write add_name remove_name };
|
|
allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir };
|
|
allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
|
|
allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms;
|