342362ae3e
kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4
26 lines
1 KiB
Text
26 lines
1 KiB
Text
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
|
|
|
|
allow vold_prepare_subdirs system_file:file execute_no_trans;
|
|
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
|
|
allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
|
|
allow vold_prepare_subdirs vold:fd use;
|
|
allow vold_prepare_subdirs vold:fifo_file { read write };
|
|
allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
|
|
allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
|
|
allow vold_prepare_subdirs self:process setfscreate;
|
|
allow vold_prepare_subdirs {
|
|
system_data_file
|
|
vendor_data_file
|
|
}:dir { open read write add_name remove_name rmdir relabelfrom };
|
|
allow vold_prepare_subdirs {
|
|
fingerprint_vendor_data_file
|
|
storaged_data_file
|
|
vold_data_file
|
|
}:dir { create_dir_perms relabelto };
|
|
allow vold_prepare_subdirs {
|
|
fingerprint_vendor_data_file
|
|
storaged_data_file
|
|
system_data_file
|
|
vold_data_file
|
|
}:file { getattr unlink };
|