platform_system_sepolicy/vendor/hal_bootctl_default.te
David Anderson 9853c7522d Allow reading dt fstab in boot control HAL.
Fixes the following denial:
  type=1400 audit(0.0:4): avc: denied { read } for comm="android.hardwar" name="compatible" dev="sysfs" ino=28205 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=file permissive=0

This permission is needed for ReadDefaultFstab, which searches the device tree for fstab entries. Devices that use dt-fstab may fail to find the misc block device.

Bug: 143589455
Test: manual test
Change-Id: Ied52fe9b1056d26b4dd00811c4690fa4c505fae8
2020-01-28 01:03:38 +00:00

19 lines
774 B
Text

# Boot control subsystem
type hal_bootctl_default, domain;
hal_server_domain(hal_bootctl_default, hal_bootctl)
type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
# Needed for ReadDefaultFstab.
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
# a GSI-corrected fstab.
dontaudit hal_bootctl_default metadata_file:dir search;
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
allow hal_bootctl_default misc_block_device:blk_file rw_file_perms;