diff options
author | Joel Galenson | 2018-04-11 14:13:25 -0500 |
---|---|---|
committer | Joel Galenson | 2018-04-13 11:47:58 -0500 |
commit | fc870ce954ca3945b90c4034ab446f775aac2139 (patch) | |
tree | 8e813a3a3a7f6892b19158733aa01d518e9d1c76 /private | |
parent | 45c72ddfcf2eb6f40b4b77600533576c8b02e452 (diff) | |
download | system-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.tar.gz system-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.tar.xz system-sepolicy-fc870ce954ca3945b90c4034ab446f775aac2139.zip |
Allow some vold_prepare_subdirs denials.
This addresses the following denials:
avc: denied { fowner } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:storaged_data_file:s0 tclass=file
avc: denied { relabelfrom } for comm="vold_prepare_su" name="storaged" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir
avc: denied { getattr } for comm="rm" scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:object_r:system_data_file:s0 tclass=file
Bug: 77875245
Test: Boot device.
Test: Mislabel directories used by vold_prepare_subdirs, reboot, and
ensure it can relabel them without denials.
Test: Add user, reboot, delete user, reboot, observe no denials.
(cherry picked from commit 855dd5a8562494f78f99e5bd5096f617ac70438f)
Merged-In: Id67bc99f151a6ccb9619bbfb7080452956405121
Change-Id: I2f6b5abfaf81570d03a30f2edf7296b5afd10c9b
Diffstat (limited to 'private')
-rw-r--r-- | private/vold_prepare_subdirs.te | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te index af1f4423..badbb71f 100644 --- a/private/vold_prepare_subdirs.te +++ b/private/vold_prepare_subdirs.te | |||
@@ -7,12 +7,14 @@ allow vold_prepare_subdirs devpts:chr_file rw_file_perms; | |||
7 | allow vold_prepare_subdirs vold:fd use; | 7 | allow vold_prepare_subdirs vold:fd use; |
8 | allow vold_prepare_subdirs vold:fifo_file { read write }; | 8 | allow vold_prepare_subdirs vold:fifo_file { read write }; |
9 | allow vold_prepare_subdirs file_contexts_file:file r_file_perms; | 9 | allow vold_prepare_subdirs file_contexts_file:file r_file_perms; |
10 | allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override }; | 10 | allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner }; |
11 | allow vold_prepare_subdirs self:process setfscreate; | 11 | allow vold_prepare_subdirs self:process setfscreate; |
12 | allow vold_prepare_subdirs { | 12 | allow vold_prepare_subdirs { |
13 | system_data_file | 13 | system_data_file |
14 | vendor_data_file | 14 | vendor_data_file |
15 | }:dir { open read write add_name remove_name }; | 15 | }:dir { open read write add_name remove_name relabelfrom }; |
16 | allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir }; | 16 | allow vold_prepare_subdirs system_data_file:file getattr; |
17 | allow vold_prepare_subdirs vold_data_file:dir { create open read write search getattr setattr remove_name rmdir relabelto }; | ||
17 | allow vold_prepare_subdirs vold_data_file:file { getattr unlink }; | 18 | allow vold_prepare_subdirs vold_data_file:file { getattr unlink }; |
18 | allow vold_prepare_subdirs storaged_data_file:dir create_dir_perms; | 19 | allow vold_prepare_subdirs storaged_data_file:dir { create_dir_perms relabelto }; |
20 | allow vold_prepare_subdirs storaged_data_file:file getattr; | ||