d5cdca08c7
Update_verifier will read dm-wrapped system/vendor partition. Therefore,
change the sepolicy accordingly.
Here's the denied message:
update_verifier: type=1400 audit(0.0:131): avc: denied { read } for
name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0
tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
Bug: 34391662
Test: Read of /dev/block/dm-0 succeeds during boot time.
Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1
21 lines
701 B
Text
21 lines
701 B
Text
# update_verifier
|
|
# update_verifier uses the boot_control_hal.
|
|
type update_verifier, domain, boot_control_hal;
|
|
type update_verifier_exec, exec_type, file_type;
|
|
|
|
# find the boot_control_hal
|
|
allow update_verifier system_file:dir r_dir_perms;
|
|
|
|
# Allow update_verifier to reach block devices in /dev/block.
|
|
allow update_verifier block_device:dir search;
|
|
|
|
# Read care map in /data/ota_package/.
|
|
allow update_verifier ota_package_file:dir r_dir_perms;
|
|
allow update_verifier ota_package_file:file r_file_perms;
|
|
|
|
# Read all blocks in dm wrapped system partition.
|
|
allow update_verifier dm_device:blk_file r_file_perms;
|
|
|
|
# Use binderized HAL
|
|
hwbinder_use(update_verifier)
|
|
binder_call(update_verifier, hal_boot)
|