aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJoel Galenson2018-04-11 14:13:25 -0500
committerJoel Galenson2018-04-13 11:47:58 -0500
commitfc870ce954ca3945b90c4034ab446f775aac2139 (patch)
tree8e813a3a3a7f6892b19158733aa01d518e9d1c76
parent45c72ddfcf2eb6f40b4b77600533576c8b02e452 (diff)
downloadsystem-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.tar.gz
system-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.tar.xz
system-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.zip
Allow some vold_prepare_subdirs denials.
This addresses the following denials: avc: denied { fowner } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:storaged_data_file:s0 tclass=file avc: denied { relabelfrom } for comm="vold_prepare_su" name="storaged" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 77875245 Test: Boot device. Test: Mislabel directories used by vold_prepare_subdirs, reboot, and ensure it can relabel them without denials. Test: Add user, reboot, delete user, reboot, observe no denials. (cherry picked from commit 855dd5a8562494f78f99e5bd5096f617ac70438f) Merged-In: Id67bc99f151a6ccb9619bbfb7080452956405121 Change-Id: I2f6b5abfaf81570d03a30f2edf7296b5afd10c9b
-rw-r--r--private/vold_prepare_subdirs.te10
1 files changed, 6 insertions, 4 deletions
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index af1f4423..badbb71f 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -7,12 +7,14 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
7allow vold_prepare_subdirs vold:fd use; 7allow vold_prepare_subdirs vold:fd use;
8allow vold_prepare_subdirs vold:fifo_file { read write }; 8allow vold_prepare_subdirs vold:fifo_file { read write };
9allow vold_prepare_subdirs file_contexts_file:file r_file_perms; 9allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
10allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override }; 10allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
11allow vold_prepare_subdirs self:process setfscreate; 11allow vold_prepare_subdirs self:process setfscreate;
12allow vold_prepare_subdirs { 12allow vold_prepare_subdirs {
13 system_data_file 13 system_data_file
14 vendor_data_file 14 vendor_data_file
15}:dir { open read write add_name remove_name }; 15}:dir { open read write add_name remove_name relabelfrom };
16allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir }; 16allow vold_prepare_subdirs system_data_file:file getattr;
17allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto };
17allow vold_prepare_subdirs vold_data_file:file { getattr unlink }; 18allow vold_prepare_subdirs vold_data_file:file { getattr unlink };
18allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms; 19allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto };
20allow vold_prepare_subdirs storaged_data_file:file getattr;