tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/cppreopts.te
Bowgo Tsai 35c2f102f2 Ignore the denial when system_other is erased 
This CL addresses the following denial, when the system_other
partition is erased. This happens when 1) the device gets an
OTA update and 2) factory reset to wipe userdata partition.

Note that the system_other partition will be mounted under
/postinstall only in the first boot after factory reset.
Also, system_other.img is only included in the factory ROM and
is absent in the OTA package. When it is absent and userdata
is wiped, the mount will fail and triggers the following denials
when both cppreopts.sh and preloads_copy.sh access /postinstall dir.

SELinux denials to address:
  avc: denied { search } for comm="find" name="postinstall" dev="dm-5"
  ino=44 scontext=u:r:preloads_copy:s0
  tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

  avc: denied { search } for comm="cppreopts.sh" name="postinstall" dev="dm-5"
  ino=44 scontext=u:r:cppreopts:s0
  tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0

Bug: 152453231
Test: fastboot erase system_other (e.g., system_b) and fastboot -w
Change-Id: Ie67f02467d5da51b0caba6e8fda56bc2c6bbc944
2020-03-31 13:58:11 +08:00

31 lines
1.2 KiB
Text
Raw Blame History

# cppreopts
#
# This command copies preopted files from the system_b partition to the data
# partition. This domain ensures that we are only copying into specific
# directories.
type cppreopts, domain, mlstrustedsubject, coredomain;
type cppreopts_exec, system_file_type, exec_type, file_type;
# Technically not a daemon but we do want the transition from init domain to
# cppreopts to occur.
init_daemon_domain(cppreopts)
domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
# Allow us to run find on /postinstall
allow cppreopts system_file:dir { open read };
# Allow running the cp command using cppreopts permissions. Needed so we can
# write into dalvik-cache
allow cppreopts toolbox_exec:file rx_file_perms;
# Silence the denial when /postinstall cannot be mounted, e.g., system_other
# is wiped, but cppreopts.sh still runs.
dontaudit cppreopts postinstall_mnt_dir:dir search;
Reference in a new issue View git blame Copy permalink