5854941f63
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
42 lines
1.2 KiB
Text
42 lines
1.2 KiB
Text
# uncrypt
|
|
type uncrypt, domain, mlstrustedsubject;
|
|
type uncrypt_exec, system_file_type, exec_type, file_type;
|
|
|
|
allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
|
|
|
|
userdebug_or_eng(`
|
|
# For debugging, allow /data/local/tmp access
|
|
r_dir_file(uncrypt, shell_data_file)
|
|
')
|
|
|
|
# Read /cache/recovery/command
|
|
# Read /cache/recovery/uncrypt_file
|
|
allow uncrypt cache_file:dir search;
|
|
allow uncrypt cache_recovery_file:dir rw_dir_perms;
|
|
allow uncrypt cache_recovery_file:file create_file_perms;
|
|
|
|
# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
|
|
allow uncrypt ota_package_file:dir r_dir_perms;
|
|
allow uncrypt ota_package_file:file rw_file_perms;
|
|
|
|
# Write to /dev/socket/uncrypt
|
|
unix_socket_connect(uncrypt, uncrypt, uncrypt)
|
|
|
|
# Raw writes to block device
|
|
allow uncrypt self:global_capability_class_set sys_rawio;
|
|
allow uncrypt misc_block_device:blk_file w_file_perms;
|
|
allow uncrypt block_device:dir r_dir_perms;
|
|
|
|
# Access userdata block device.
|
|
allow uncrypt userdata_block_device:blk_file w_file_perms;
|
|
|
|
r_dir_file(uncrypt, rootfs)
|
|
|
|
# uncrypt reads /proc/cmdline
|
|
allow uncrypt proc_cmdline:file r_file_perms;
|
|
|
|
# Read files in /sys
|
|
r_dir_file(uncrypt, sysfs_dt_firmware_android)
|
|
|
|
# Allow ReadDefaultFstab().
|
|
read_fstab(uncrypt)
|