From 13c6400e11fd253f6615f1ceb7e3f8090bfcf1c4 Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Thu, 29 Jun 2017 16:49:06 -0700
Subject: [PATCH] Grant update_verifier sysfs access.

avc: denied { read } for pid=694 comm="update_verifier" name="block" dev="sysfs" ino=27770 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=dir
avc: denied { read } for pid=719 comm="update_verifier" name="name" dev="sysfs" ino=51336 scontext=u:r:update_verifier:s0 tcontext=u:object_r:sysfs:s0 tclass=file

update_verifier reads /sys/block/dm-X/dm/name to find the device-mapper
entries for system and vendor partitions.

Also remove the unneeded "block_device:dir r_dir_perms" permission.

Bug: 63146601
Test: As follows.
  a) Set up /data/ota_package/care_map.txt.
  b) Reset the slot boot-successful flag with fastboot set_active.
  c) Boot the device and check update_verifier successfully verifies
     the blocks.
Change-Id: I581136249e93ec2d4bd9ceda316590ee31148643
---
 sepolicy/vendor/update_verifier.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sepolicy/vendor/update_verifier.te b/sepolicy/vendor/update_verifier.te
index de8bd583..cdc304f7 100644
--- a/sepolicy/vendor/update_verifier.te
+++ b/sepolicy/vendor/update_verifier.te
@@ -1 +1,4 @@
-allow update_verifier block_device:dir r_dir_perms;
+# update_verifier reads /sys/block/dm-X/dm/name to find the device-mapper
+# entries for system and vendor partitions.
+allow update_verifier sysfs:file r_file_perms;
+allow update_verifier sysfs:dir r_dir_perms;