diff options
-rw-r--r-- | private/compat/26.0/26.0.ignore.cil | 1 | ||||
-rw-r--r-- | private/compat/27.0/27.0.ignore.cil | 1 | ||||
-rw-r--r-- | private/file_contexts | 4 | ||||
-rw-r--r-- | public/domain.te | 6 | ||||
-rw-r--r-- | public/file.te | 3 |
5 files changed, 15 insertions, 0 deletions
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index 68d6b409..bc31452d 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil | |||
@@ -66,6 +66,7 @@ | |||
66 | lowpan_service | 66 | lowpan_service |
67 | mediaextractor_update_service | 67 | mediaextractor_update_service |
68 | mediaprovider_tmpfs | 68 | mediaprovider_tmpfs |
69 | mnt_vendor_file | ||
69 | netd_stable_secret_prop | 70 | netd_stable_secret_prop |
70 | network_watchlist_data_file | 71 | network_watchlist_data_file |
71 | network_watchlist_service | 72 | network_watchlist_service |
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil index 1eaf22a7..0571bfc7 100644 --- a/private/compat/27.0/27.0.ignore.cil +++ b/private/compat/27.0/27.0.ignore.cil | |||
@@ -54,6 +54,7 @@ | |||
54 | lowpan_prop | 54 | lowpan_prop |
55 | lowpan_service | 55 | lowpan_service |
56 | mediaextractor_update_service | 56 | mediaextractor_update_service |
57 | mnt_vendor_file | ||
57 | network_watchlist_data_file | 58 | network_watchlist_data_file |
58 | network_watchlist_service | 59 | network_watchlist_service |
59 | perfetto | 60 | perfetto |
diff --git a/private/file_contexts b/private/file_contexts index 109f2190..4e2a7654 100644 --- a/private/file_contexts +++ b/private/file_contexts | |||
@@ -525,3 +525,7 @@ | |||
525 | /mnt/user(/.*)? u:object_r:mnt_user_file:s0 | 525 | /mnt/user(/.*)? u:object_r:mnt_user_file:s0 |
526 | /mnt/runtime(/.*)? u:object_r:storage_file:s0 | 526 | /mnt/runtime(/.*)? u:object_r:storage_file:s0 |
527 | /storage(/.*)? u:object_r:storage_file:s0 | 527 | /storage(/.*)? u:object_r:storage_file:s0 |
528 | |||
529 | ############################# | ||
530 | # mount point for read-write vendor partitions | ||
531 | /mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0 | ||
diff --git a/public/domain.te b/public/domain.te index 0e815b60..9458d796 100644 --- a/public/domain.te +++ b/public/domain.te | |||
@@ -1363,3 +1363,9 @@ userdebug_or_eng(` | |||
1363 | dontaudit domain proc_type:file create; | 1363 | dontaudit domain proc_type:file create; |
1364 | dontaudit domain sysfs_type:file create; | 1364 | dontaudit domain sysfs_type:file create; |
1365 | ') | 1365 | ') |
1366 | |||
1367 | # Platform must not have access to /mnt/vendor. | ||
1368 | neverallow { | ||
1369 | coredomain | ||
1370 | -init | ||
1371 | } mnt_vendor_file:dir *; | ||
diff --git a/public/file.te b/public/file.te index 5a5ee80b..01b489d7 100644 --- a/public/file.te +++ b/public/file.te | |||
@@ -225,6 +225,9 @@ type storage_file, file_type; | |||
225 | type mnt_media_rw_stub_file, file_type; | 225 | type mnt_media_rw_stub_file, file_type; |
226 | type storage_stub_file, file_type; | 226 | type storage_stub_file, file_type; |
227 | 227 | ||
228 | # Mount location for read-write vendor partitions. | ||
229 | type mnt_vendor_file, file_type; | ||
230 | |||
228 | # /postinstall: Mount point used by update_engine to run postinstall. | 231 | # /postinstall: Mount point used by update_engine to run postinstall. |
229 | type postinstall_mnt_dir, file_type; | 232 | type postinstall_mnt_dir, file_type; |
230 | # Files inside the /postinstall mountpoint are all labeled as postinstall_file. | 233 | # Files inside the /postinstall mountpoint are all labeled as postinstall_file. |