68a88d4c5c
This CL addresses the following denial, when vendor_misc_writer tries to read DT fstab (i.e. device tree fstab) for /misc entry. avc: denied { search } for comm="misc_writer" name="android" dev="sysfs" ino=17456 scontext=u:r:vendor_misc_writer:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 tclass=dir DT fstab was used for devices shipped prior to Q, for early-mounting partitions (e.g. /system, /vendor, /product), which has been disallowed for Q launch devices. vendor_misc_writer is a new module added since Q, so it doesn't need to worry about the legacy code path; in practice there's no benefit of putting /misc entry into DT fstab either. Bug: 134122603 Test: Build and flash taimen with the change that enables vendor_misc_writer. Check that it no longer gives the above denial during boot. Change-Id: Id2fb206706f7cd19a4cde2701e4155bfc03f01b4
13 lines
551 B
Text
13 lines
551 B
Text
# vendor_misc_writer
|
|
type vendor_misc_writer, domain;
|
|
type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
|
|
|
|
# Raw writes to misc_block_device
|
|
allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
|
|
allow vendor_misc_writer block_device:dir r_dir_perms;
|
|
|
|
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
|
|
# load DT fstab.
|
|
dontaudit vendor_misc_writer proc_cmdline:file read;
|
|
dontaudit vendor_misc_writer metadata_file:dir search;
|
|
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
|