Allow vendor_init to write to misc_block_device

Vendors may use this to write custom messages to their bootloader, and as the bootloader is under vendor control, this makes sense to allow. Bug: 77881566 Test: build Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
author: Tom Cherry 2018-04-11 16:56:47 -0500
committer: Jeffrey Vander Stoep 2018-04-13 11:39:48 -0500
commit: db465285cfe5724d83021888c42ba93f0e8ee415 (patch)
tree: 850a7c1fce20bcd70baff435bbadbbe3759426f8
parent: 224921d18a8aa83123adfbdef8e9c352795e2b6b (diff)
download: system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.gz
system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.xz
system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.zip
2 files changed, 4 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te
index 4f026232..31345be8 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -600,6 +600,7 @@ neverallow {
  -init
  -uncrypt
  -update_engine
+  -vendor_init
  -vold
  -recovery
  -ueventd
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 02739250..362244ee 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@ allow vendor_init serialno_prop:file { getattr open read };
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
 not_compatible_property(`
    set_prop(vendor_init, {
      property_type
author	Tom Cherry	2018-04-11 16:56:47 -0500
committer	Jeffrey Vander Stoep	2018-04-13 11:39:48 -0500
commit	db465285cfe5724d83021888c42ba93f0e8ee415 (patch)
tree	850a7c1fce20bcd70baff435bbadbbe3759426f8
parent	224921d18a8aa83123adfbdef8e9c352795e2b6b (diff)
download	system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.gz system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.tar.xz system-sepolicy-db465285cfe5724d83021888c42ba93f0e8ee415.zip