platform_system_sepolicy/public/vendor_misc_writer.te
Tao Bao 68a88d4c5c Ignore the denial due to vendor_misc_writer reading DT fstab.
This CL addresses the following denial, when vendor_misc_writer tries to
read DT fstab (i.e. device tree fstab) for /misc entry.

avc: denied { search } for comm="misc_writer" name="android" dev="sysfs" ino=17456 scontext=u:r:vendor_misc_writer:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir

DT fstab was used for devices shipped prior to Q, for early-mounting
partitions (e.g. /system, /vendor, /product), which has been disallowed
for Q launch devices. vendor_misc_writer is a new module added since Q,
so it doesn't need to worry about the legacy code path; in practice
there's no benefit of putting /misc entry into DT fstab either.

Bug: 134122603
Test: Build and flash taimen with the change that enables
      vendor_misc_writer. Check that it no longer gives the above denial
      during boot.
Change-Id: Id2fb206706f7cd19a4cde2701e4155bfc03f01b4
2019-10-10 22:17:53 -07:00

13 lines
551 B
Text

# vendor_misc_writer
type vendor_misc_writer, domain;
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
# Raw writes to misc_block_device
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
allow vendor_misc_writer block_device:dir r_dir_perms;
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
dontaudit vendor_misc_writer proc_cmdline:file read;
dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;