a1cdf2e311
Previously we would mount OTA images with a 'context=...' mount
option. This meant that all selinux contexts were ignored in the ota
image, limiting the usefulness of selinux in this situation. To fix
this the mount has been changed to not overwrite the declared contexts
and the policies have been updated to accurately describe the actions
being performed by an OTA.
Bug: 181182967
Test: Manual OTA of blueline
Test: lunch wembley-userdebug; m droid
Ignore-AOSP-First: Requires changes to device/mediatek/wembley-sepolicy
to be applied simultaneously to avoid breaking
builds. Once merged this will be cherry-picked back
to AOSP to maintain state.
Change-Id: I5eb53625202479ea7e75c27273531257d041e69d
27 lines
1 KiB
Text
27 lines
1 KiB
Text
type linkerconfig, domain, coredomain;
|
|
type linkerconfig_exec, exec_type, file_type, system_file_type;
|
|
|
|
init_daemon_domain(linkerconfig)
|
|
|
|
## Read and write linkerconfig subdirectory.
|
|
allow linkerconfig linkerconfig_file:dir create_dir_perms;
|
|
allow linkerconfig linkerconfig_file:file create_file_perms;
|
|
|
|
# Allow linkerconfig to log to the kernel.
|
|
allow linkerconfig kmsg_device:chr_file w_file_perms;
|
|
|
|
# Allow linkerconfig to be invoked with logwrapper from init.
|
|
allow linkerconfig devpts:chr_file { read write };
|
|
|
|
# Allow linkerconfig to scan for apex modules
|
|
allow linkerconfig apex_mnt_dir:dir r_dir_perms;
|
|
|
|
# Allow linkerconfig to read apex-info-list.xml
|
|
allow linkerconfig apex_info_file:file r_file_perms;
|
|
|
|
# Allow linkerconfig to be called in the otapreopt_chroot
|
|
allow linkerconfig otapreopt_chroot:fd use;
|
|
allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
|
|
allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
|
|
|
|
neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
|