aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom Cherry2018-04-11 16:56:47 -0500
committerJeffrey Vander Stoep2018-04-13 11:39:48 -0500
commitdb465285cfe5724d83021888c42ba93f0e8ee415 (patch)
tree850a7c1fce20bcd70baff435bbadbbe3759426f8
parent224921d18a8aa83123adfbdef8e9c352795e2b6b (diff)
downloadsystem-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.gz
system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.xz
system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.zip
Allow vendor_init to write to misc_block_device
Vendors may use this to write custom messages to their bootloader, and as the bootloader is under vendor control, this makes sense to allow. Bug: 77881566 Test: build Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
-rw-r--r--public/domain.te1
-rw-r--r--public/vendor_init.te3
2 files changed, 4 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te
index 4f026232..31345be8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -600,6 +600,7 @@ neverallow {
600 -init 600 -init
601 -uncrypt 601 -uncrypt
602 -update_engine 602 -update_engine
603 -vendor_init
603 -vold 604 -vold
604 -recovery 605 -recovery
605 -ueventd 606 -ueventd
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 02739250..362244ee 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@ allow vendor_init serialno_prop:file { getattr open read };
146# Vendor init can perform operations on trusted and security Extended Attributes 146# Vendor init can perform operations on trusted and security Extended Attributes
147allow vendor_init self:global_capability_class_set sys_admin; 147allow vendor_init self:global_capability_class_set sys_admin;
148 148
149# Raw writes to misc block device
150allow vendor_init misc_block_device:blk_file w_file_perms;
151
149not_compatible_property(` 152not_compatible_property(`
150 set_prop(vendor_init, { 153 set_prop(vendor_init, {
151 property_type 154 property_type