018004d9d1
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.
Fixes:
audit: type=1400 audit(7258310.023:24): avc: denied { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
44 lines
1.4 KiB
Text
44 lines
1.4 KiB
Text
typeattribute fastbootd coredomain;
|
|
|
|
# The allow rules are only included in the recovery policy.
|
|
# Otherwise fastbootd is only allowed the domain rules.
|
|
recovery_only(`
|
|
# Reboot the device
|
|
set_prop(fastbootd, powerctl_prop)
|
|
|
|
# Read serial number of the device from system properties
|
|
get_prop(fastbootd, serialno_prop)
|
|
|
|
# Set sys.usb.ffs.ready.
|
|
get_prop(fastbootd, ffs_config_prop)
|
|
set_prop(fastbootd, ffs_control_prop)
|
|
|
|
userdebug_or_eng(`
|
|
get_prop(fastbootd, persistent_properties_ready_prop)
|
|
')
|
|
|
|
set_prop(fastbootd, gsid_prop)
|
|
|
|
# Determine allocation scheme (whether B partitions needs to be
|
|
# at the second half of super.
|
|
get_prop(fastbootd, virtual_ab_prop)
|
|
|
|
# Needed for TCP protocol
|
|
allow fastbootd node:tcp_socket node_bind;
|
|
allow fastbootd port:tcp_socket name_bind;
|
|
allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
|
|
|
|
# Start snapuserd for merging VABC updates
|
|
set_prop(fastbootd, ctl_snapuserd_prop)
|
|
|
|
# Needed to communicate with snapuserd to complete merges.
|
|
allow fastbootd snapuserd_socket:sock_file write;
|
|
allow fastbootd snapuserd:unix_stream_socket connectto;
|
|
allow fastbootd dm_user_device:dir r_dir_perms;
|
|
|
|
# Get fastbootd protocol property
|
|
get_prop(fastbootd, fastbootd_protocol_prop)
|
|
|
|
# Mount /metadata to interact with Virtual A/B snapshots.
|
|
allow fastbootd labeledfs:filesystem { mount unmount };
|
|
')
|