Fixing Taimen OTAs for enforcing before turning it on globally

denied { ioctl } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde" dev="tmpfs" ino=19779 ioctlcmd=1268 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { open } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde" dev="tmpfs" ino=19779 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { read write } for pid=570 comm="boot@1.0-servic" name="sde" dev="tmpfs" ino=19779 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { getattr } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde13" dev="tmpfs" ino=19819 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file Bug: 34784662 Test: OTAs work Change-Id: Idd78395353c54f5d81220f7c8073ab90ee22af2f
2026-02-01 07:50:47 +00:00 · 2017-05-09 11:08:47 -07:00
parent 491b6ca95b
commit 0a4f88cbd3
3 changed files with 7 additions and 2 deletions
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -106,6 +106,11 @@
 # Block devices for the drive that holds the xbl_a and xbl_b partitions.
 /dev/block/sd[bc]1?                             u:object_r:xbl_block_device:s0

+# Block device for hal_bootctl
+/dev/block/sde                                  u:object_r:boot_block_device:s0
+/dev/block/sde13                                u:object_r:boot_block_device:s0
+/dev/block/sde27                                u:object_r:boot_block_device:s0
+
 # files in sysfs
 /sys/class/thermal(/.*)?                                            u:object_r:sysfs_thermal:s0
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
--- a/sepolicy/hal_bootctl.te
+++ b/sepolicy/hal_bootctl.te
@@ -8,7 +8,7 @@ allow hal_bootctl block_device:dir r_dir_perms;
 # Edit the attributes stored in the GPT.
 allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
 allow hal_bootctl ab_block_device:blk_file getattr;
-allow hal_bootctl boot_block_device:blk_file getattr;
+allow hal_bootctl boot_block_device:blk_file rw_file_perms;
 allow hal_bootctl modem_block_device:blk_file getattr;
 allow hal_bootctl system_block_device:blk_file getattr;

--- a/sepolicy/update_engine_common.te
+++ b/sepolicy/update_engine_common.te
@@ -4,5 +4,5 @@ allow update_engine_common xbl_block_device:blk_file rw_file_perms;
 allow update_engine_common ab_block_device:blk_file rw_file_perms;
 allow update_engine_common modem_block_device:blk_file rw_file_perms;

-allow update_engine_common postinstall_mnt_dir:dir getattr;
+allow update_engine_common postinstall_mnt_dir:dir r_dir_perms;
 allow update_engine_common tmpfs:lnk_file r_file_perms;