5854941f63
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
16 lines
628 B
Text
16 lines
628 B
Text
# vendor_misc_writer
|
|
type vendor_misc_writer, domain;
|
|
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
|
|
|
|
# Raw writes to misc_block_device
|
|
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
|
|
allow vendor_misc_writer block_device:dir r_dir_perms;
|
|
|
|
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
|
|
# load DT fstab.
|
|
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
|
|
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
|
|
dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
|
|
|
|
# Allow ReadDefaultFstab().
|
|
read_fstab(vendor_misc_writer)
|