e38af22c5e
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.
This prevents failure to read the bootanimation on oem if
partition has been remounted.
After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc: denied { read } for pid=2820 comm="bootanimation" name="media"
dev="sda75" ino=152 scontext=u:r:bootanim:s0
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0
After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc: denied { read } for pid=2838 comm="bootanimation" name="media"
dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
tclass=dir permissive=0
Bug: 324437684
Test: adb remount
replace /oem/media/bootanimation.zip with custom animation
adb reboot
confirm that expected bootanimation is played
confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
44 lines
1.3 KiB
Text
44 lines
1.3 KiB
Text
# bootanimation oneshot service
|
|
type bootanim, domain;
|
|
type bootanim_exec, system_file_type, exec_type, file_type;
|
|
|
|
hal_client_domain(bootanim, hal_configstore)
|
|
hal_client_domain(bootanim, hal_graphics_allocator)
|
|
hal_client_domain(bootanim, hal_graphics_composer)
|
|
|
|
binder_use(bootanim)
|
|
binder_call(bootanim, surfaceflinger)
|
|
binder_call(bootanim, audioserver)
|
|
|
|
hwbinder_use(bootanim)
|
|
|
|
allow bootanim gpu_device:chr_file rw_file_perms;
|
|
allow bootanim gpu_device:dir r_dir_perms;
|
|
allow bootanim sysfs_gpu:file r_file_perms;
|
|
|
|
# /oem access
|
|
r_dir_file(bootanim, oemfs);
|
|
|
|
allow bootanim audio_device:dir r_dir_perms;
|
|
allow bootanim audio_device:chr_file rw_file_perms;
|
|
|
|
allow bootanim audioserver_service:service_manager find;
|
|
allow bootanim surfaceflinger_service:service_manager find;
|
|
allow bootanim surfaceflinger:unix_stream_socket { read write };
|
|
|
|
# Allow access to ion memory allocation device
|
|
allow bootanim ion_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to DMA-BUF system heap
|
|
allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
|
|
|
|
allow bootanim hal_graphics_allocator:fd use;
|
|
|
|
# Fences
|
|
allow bootanim hal_graphics_composer:fd use;
|
|
|
|
# Read access to pseudo filesystems.
|
|
allow bootanim proc_meminfo:file r_file_perms;
|
|
|
|
# System file accesses.
|
|
allow bootanim system_file:dir r_dir_perms;
|