From 0a4f88cbd3025da52588a6f1f901bb075a444151 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Tue, 9 May 2017 11:08:47 -0700 Subject: [PATCH] Fixing Taimen OTAs for enforcing before turning it on globally denied { ioctl } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde" dev="tmpfs" ino=19779 ioctlcmd=1268 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { open } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde" dev="tmpfs" ino=19779 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { read write } for pid=570 comm="boot@1.0-servic" name="sde" dev="tmpfs" ino=19779 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file denied { getattr } for pid=570 comm="boot@1.0-servic" path="/dev/block/sde13" dev="tmpfs" ino=19819 scontext=u:r:hal_bootctl_default:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file Bug: 34784662 Test: OTAs work Change-Id: Idd78395353c54f5d81220f7c8073ab90ee22af2f --- sepolicy/file_contexts | 5 +++++ sepolicy/hal_bootctl.te | 2 +- sepolicy/update_engine_common.te | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 1b502a8c..938dbc92 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -106,6 +106,11 @@ # Block devices for the drive that holds the xbl_a and xbl_b partitions. /dev/block/sd[bc]1? u:object_r:xbl_block_device:s0 +# Block device for hal_bootctl +/dev/block/sde u:object_r:boot_block_device:s0 +/dev/block/sde13 u:object_r:boot_block_device:s0 +/dev/block/sde27 u:object_r:boot_block_device:s0 + # files in sysfs /sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/class/uio(/.*)? u:object_r:sysfs_uio:s0 diff --git a/sepolicy/hal_bootctl.te b/sepolicy/hal_bootctl.te index 06653fd0..8d7fc878 100644 --- a/sepolicy/hal_bootctl.te +++ b/sepolicy/hal_bootctl.te @@ -8,7 +8,7 @@ allow hal_bootctl block_device:dir r_dir_perms; # Edit the attributes stored in the GPT. allow hal_bootctl gpt_block_device:blk_file rw_file_perms; allow hal_bootctl ab_block_device:blk_file getattr; -allow hal_bootctl boot_block_device:blk_file getattr; +allow hal_bootctl boot_block_device:blk_file rw_file_perms; allow hal_bootctl modem_block_device:blk_file getattr; allow hal_bootctl system_block_device:blk_file getattr; diff --git a/sepolicy/update_engine_common.te b/sepolicy/update_engine_common.te index a079659c..e4fab515 100644 --- a/sepolicy/update_engine_common.te +++ b/sepolicy/update_engine_common.te @@ -4,5 +4,5 @@ allow update_engine_common xbl_block_device:blk_file rw_file_perms; allow update_engine_common ab_block_device:blk_file rw_file_perms; allow update_engine_common modem_block_device:blk_file rw_file_perms; -allow update_engine_common postinstall_mnt_dir:dir getattr; +allow update_engine_common postinstall_mnt_dir:dir r_dir_perms; allow update_engine_common tmpfs:lnk_file r_file_perms;