a1b4560088
Grant observed uses of permissions being audited in domain_deprecated.
fsck
avc: granted { getattr } for path="/" dev="dm-0" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
keystore
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:keystore:s0 tcontext=u:object_r:system_file:s0 tclass=dir
sdcardd
avc: granted { read open } for path="/proc/filesystems" dev="proc" ino=4026532412 scontext=u:r:sdcardd:s0 tcontext=u:object_r:proc:s0 tclass=file
update_engine
avc: granted { getattr } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read open } for path="/proc/misc" dev="proc" ino=4026532139 scontext=u:r:update_engine:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: granted { read } for name="hw" dev="dm-1" ino=168 scontext=u:r:update_engine:s0 tcontext=u:object_r:system_file:s0 tclass=dir
vold
avc: granted { read open } for path="/vendor/lib64/hw" dev="dm-1" ino=168 scontext=u:r:vold:s0 tcontext=u:object_r:system_file:s0 tclass=dir
Test: Marlin builds and boots, avc granted messages no longer observed.
Bug: 35197529
Change-Id: Iae34ae3b9e22ba7550cf7d45dc011ab043e63424
39 lines
1.7 KiB
Text
39 lines
1.7 KiB
Text
# update_engine payload application permissions. These are shared between the
|
|
# background daemon and the recovery tool to sideload an update.
|
|
|
|
# Allow update_engine to reach block devices in /dev/block.
|
|
allow update_engine_common block_device:dir search;
|
|
|
|
# Allow read/write on system and boot partitions.
|
|
allow update_engine_common boot_block_device:blk_file rw_file_perms;
|
|
allow update_engine_common system_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow to set recovery options in the BCB. Used to trigger factory reset when
|
|
# the update to an older version (channel change) or incompatible version
|
|
# requires it.
|
|
allow update_engine_common misc_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow update_engine_common to mount on the /postinstall directory and reset the
|
|
# labels on the mounted filesystem to postinstall_file.
|
|
allow update_engine_common postinstall_mnt_dir:dir mounton;
|
|
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
|
|
allow update_engine_common labeledfs:filesystem relabelfrom;
|
|
|
|
# Allow update_engine_common to read and execute postinstall_file.
|
|
allow update_engine_common postinstall_file:file rx_file_perms;
|
|
allow update_engine_common postinstall_file:lnk_file r_file_perms;
|
|
allow update_engine_common postinstall_file:dir r_dir_perms;
|
|
|
|
|
|
# A postinstall program is typically a shell script (with a #!), so we allow
|
|
# to execute those.
|
|
allow update_engine_common shell_exec:file rx_file_perms;
|
|
|
|
# Allow update_engine_common to suspend, resume and kill the postinstall program.
|
|
allow update_engine_common postinstall:process { signal sigstop };
|
|
|
|
# access /proc/misc
|
|
allow update_engine proc:file r_file_perms;
|
|
|
|
# read directories on /system and /vendor
|
|
allow update_engine system_file:dir r_dir_perms;
|