Narrow down tftp_server's access to /persist

avc: denied { dac_override } scontext=u:r:rfs_access:s0 econtext=u:r:rfs_access:s0 tclass=capability Bug: 62074287 Bug: 38214174 Test: build and boot device. No denials in the logs related to /persist/rfs or /persist/hlos_rfs. All files have correct label. Change-Id: Ic63d1684af2d2b3a1ea75a3aacf2ab2a5ebe36a2
2026-02-01 07:50:47 +00:00 · 2017-06-22 11:44:59 -07:00
parent 7e1d99c8ac
commit 24c1a1f556
4 changed files with 12 additions and 3 deletions
--- a/init.hardware.rc
+++ b/init.hardware.rc
@@ -155,9 +155,13 @@ on fs
    mount_all /vendor/etc/fstab.${ro.hardware} --early
    swapon_all /vendor/etc/fstab.${ro.hardware}

-    restorecon_recursive /persist
    mkdir /persist/data 0700 system system
    mkdir /persist/display 0770 system graphics
+    mkdir /persist/rfs 0770 root system
+    mkdir /persist/hlos_rfs 0770 root system
+    chmod 0770 /persist/rfs
+    chmod 0770 /persist/hlos_rfs
+    restorecon_recursive /persist

    # Start HW service manager early
    start hwservicemanager
@@ -527,6 +531,7 @@ service rmt_storage /vendor/bin/rmt_storage
 service tftp_server /vendor/bin/tftp_server
   class core
   user root
+   group root system

 service wpa_supplicant /vendor/bin/hw/wpa_supplicant \
    -ip2p0 -Dnl80211 -c/data/misc/wifi/p2p_supplicant.conf \
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -47,6 +47,7 @@ type persist_data_file, file_type;
 type persist_display_file, file_type;
 type persist_drm_file, file_type;
 type persist_haptics_file, file_type;
+type persist_rfs_file, file_type;
 type persist_sensors_file, file_type;
 type persist_time_file, file_type;

--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -318,6 +318,8 @@
 /persist/display(/.*)?    u:object_r:persist_display_file:s0
 /persist/drm(/.*)?        u:object_r:persist_drm_file:s0
 /persist/haptics(/.*)?    u:object_r:persist_haptics_file:s0
+/persist/hlos_rfs(/.*)?   u:object_r:persist_rfs_file:s0
+/persist/rfs(/.*)?        u:object_r:persist_rfs_file:s0
 /persist/sensors(/.*)?    u:object_r:persist_sensors_file:s0
 /persist/time(/.*)?       u:object_r:persist_time_file:s0

--- a/sepolicy/vendor/rfs_access.te
+++ b/sepolicy/vendor/rfs_access.te
@@ -11,7 +11,8 @@ wakelock_use(rfs_access)
 # For tftp server file access
 allow rfs_access firmware_file:dir search;
 allow rfs_access firmware_file:file r_file_perms;
-allow rfs_access persist_file:dir { create rw_dir_perms setattr };
-allow rfs_access persist_file:file create_file_perms;
+allow rfs_access persist_file:dir search;
+allow rfs_access persist_rfs_file:dir create_dir_perms;
+allow rfs_access persist_rfs_file:file create_file_perms;

 allow rfs_access self:socket create_socket_perms_no_ioctl;