selinux: rfs_access: fix tftp_server denials when operating on tombstones file

Bug: 121294677 Sync and cherry-pick ag/4706915 to ASOP Label and add sepolicy for tftp_server to operation on tombstones file avc: denied { create } for name="modem" scontext=u:r:rfs_access:s0 tcontext=u:object_r:tombstone_vendor_data_file:s0 tclass=dir permissive=0 Change-Id: Ib01dc4fb3b6268817cc7d8d49430a47dd6993b50 Merged-In: I8cdaab1252ff934df92b7f4e52ba361f894f3227 Signed-off-by: SalmaxChang <salmaxchang@google.com>
2026-02-01 07:50:47 +00:00 · 2018-10-05 09:30:14 +08:00
parent e73d5d568d
commit a82169492c
3 changed files with 8 additions and 0 deletions
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -79,6 +79,9 @@ type sensors_vendor_data_file, file_type, data_file_type;
 type audio_vendor_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;

+# Tombstone vendor data
+type tombstone_vendor_data_file, file_type, data_file_type;
+
 #diag sysfs files
 type sysfs_diag, fs_type, sysfs_type;

--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -256,6 +256,7 @@
 /data/vendor/sensors(/.*)?             u:object_r:sensors_vendor_data_file:s0
 /data/vendor/audio(/.*)?               u:object_r:audio_vendor_data_file:s0
 /data/vendor/mediadrm(/.*)?            u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/tombstones(/.*)?          u:object_r:tombstone_vendor_data_file:s0
 /data/vendor_ce/[0-9]+/ramoops(/.*)?   u:object_r:ramoops_vendor_data_file:s0

 # /
--- a/sepolicy/vendor/rfs_access.te
+++ b/sepolicy/vendor/rfs_access.te
@@ -16,3 +16,7 @@ allow rfs_access persist_rfs_file:dir create_dir_perms;
 allow rfs_access persist_rfs_file:file create_file_perms;

 allow rfs_access self:socket create_socket_perms_no_ioctl;
+
+# For ramdump entries in /data/vendor/tombstones
+allow rfs_access tombstone_vendor_data_file:dir create_dir_perms;
+allow rfs_access tombstone_vendor_data_file:file create_file_perms;