5d8d2dc9f9
Grant update_verifier the permissions to read /data/ota_package/
and the blocks on system partition.
The denial messages:
update_verifier: type=1400 audit(0.0:29): avc: denied { read } for name="care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1
update_verifier: type=1400 audit(0.0:30): avc: denied { open } for path="/data/ota_package/care_map.txt" dev="sda35"
ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1
update_verifier: type=1400 audit(0.0:31): avc: denied { read } for name="sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1
update_verifier: type=1400 audit(0.0:32): avc: denied { open } for path="/dev/block/sda33" dev="tmpfs" ino=5613
scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1
Test: On sailfish, update_verifier reads the blocks successfully during boot time.
Bug: 30020920
Change-Id: I10777c1e6ba649b82c4a73171124742edeb05997
17 lines
567 B
Text
17 lines
567 B
Text
# update_verifier
|
|
# update_verifier uses the boot_control_hal.
|
|
type update_verifier, domain, boot_control_hal;
|
|
type update_verifier_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(update_verifier)
|
|
|
|
# Allow update_verifier to reach block devices in /dev/block.
|
|
allow update_verifier block_device:dir search;
|
|
|
|
# Read care map in /data/ota_package/.
|
|
allow update_verifier ota_package_file:dir r_dir_perms;
|
|
allow update_verifier ota_package_file:file r_file_perms;
|
|
|
|
# Read all blocks in system partition.
|
|
allow update_verifier system_block_device:blk_file r_file_perms;
|
|
|