diff options
author | Tri Vo | 2018-04-10 22:49:45 -0500 |
---|---|---|
committer | Tri Vo | 2018-04-17 16:04:15 -0500 |
commit | 8c1a1b24725e49f0dce8ad371c7076b2ebfdde06 (patch) | |
tree | b1854a6427364c0bcac9083695373fe8a20c3427 /public | |
parent | 53cabd6c352dd37608be0e8bebfabf5b1edcd31b (diff) | |
download | system-sepolicy-8c1a1b24725e49f0dce8ad371c7076b2ebfdde06.tar.gz system-sepolicy-8c1a1b24725e49f0dce8ad371c7076b2ebfdde06.tar.xz system-sepolicy-8c1a1b24725e49f0dce8ad371c7076b2ebfdde06.zip |
Sepolicy for rw mount point for vendors.
Bug: 64905218
Test: device boots with /mnt/vendor present and selinux label
mnt_vendor_file applied correctly.
Change-Id: Ib34e2859948019d237cf2fe8f71845ef2533ae27
Merged-In: Ib34e2859948019d237cf2fe8f71845ef2533ae27
(cherry picked from commit 210a805b46782a2a49bf5338732cf8c6abaf95de)
Diffstat (limited to 'public')
-rw-r--r-- | public/domain.te | 6 | ||||
-rw-r--r-- | public/file.te | 3 |
2 files changed, 9 insertions, 0 deletions
diff --git a/public/domain.te b/public/domain.te index 0e815b60..9458d796 100644 --- a/public/domain.te +++ b/public/domain.te | |||
@@ -1363,3 +1363,9 @@ userdebug_or_eng(` | |||
1363 | dontaudit domain proc_type:file create; | 1363 | dontaudit domain proc_type:file create; |
1364 | dontaudit domain sysfs_type:file create; | 1364 | dontaudit domain sysfs_type:file create; |
1365 | ') | 1365 | ') |
1366 | |||
1367 | # Platform must not have access to /mnt/vendor. | ||
1368 | neverallow { | ||
1369 | coredomain | ||
1370 | -init | ||
1371 | } mnt_vendor_file:dir *; | ||
diff --git a/public/file.te b/public/file.te index 5a5ee80b..01b489d7 100644 --- a/public/file.te +++ b/public/file.te | |||
@@ -225,6 +225,9 @@ type storage_file, file_type; | |||
225 | type mnt_media_rw_stub_file, file_type; | 225 | type mnt_media_rw_stub_file, file_type; |
226 | type storage_stub_file, file_type; | 226 | type storage_stub_file, file_type; |
227 | 227 | ||
228 | # Mount location for read-write vendor partitions. | ||
229 | type mnt_vendor_file, file_type; | ||
230 | |||
228 | # /postinstall: Mount point used by update_engine to run postinstall. | 231 | # /postinstall: Mount point used by update_engine to run postinstall. |
229 | type postinstall_mnt_dir, file_type; | 232 | type postinstall_mnt_dir, file_type; |
230 | # Files inside the /postinstall mountpoint are all labeled as postinstall_file. | 233 | # Files inside the /postinstall mountpoint are all labeled as postinstall_file. |