diff options
author | Alan Stokes <alanstokes@google.com> | 2018-02-26 14:07:12 +0000 |
---|---|---|
committer | Alan Stokes <alanstokes@google.com> | 2018-02-26 16:47:23 +0000 |
commit | e8a1ddb264a7709cbb6589d0d4e8d3c0616d8a79 (patch) | |
tree | 7572200f62364c865399d31b2958d634f3a85e94 | |
parent | 6a1438687150d1f38f1871967bc23305067aa123 (diff) | |
download | bonito-e8a1ddb264a7709cbb6589d0d4e8d3c0616d8a79.tar.gz |
Allow rfs_access (tftp server) to create its tombstone directories.
It runs as system, but data/vendor/tombstone is writeable only by
root, so we get init to create the initial directory. rfs_access then
creates sub-directories.
Denials:
denied { write } for name="rfs" dev="sda19" ino=51687 scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { add_name } for name="modem" scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { create } for name="modem" scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
denied { setattr } for name="modem" dev="sda19" ino=51689 scontext=u:r:rfs_access:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=dir
Bug: 72643420
Test: Device boots, denials gone.
Change-Id: Ia5fba7aa59ee52367f72ce4ee337298d1c7ae915
-rw-r--r-- | init.hardware.mpssrfs.rc.user | 1 | ||||
-rw-r--r-- | init.hardware.mpssrfs.rc.userdebug | 1 | ||||
-rw-r--r-- | sepolicy/vendor/file.te | 4 | ||||
-rw-r--r-- | sepolicy/vendor/file_contexts | 1 | ||||
-rw-r--r-- | sepolicy/vendor/rfs_access.te | 2 |
5 files changed, 7 insertions, 2 deletions
diff --git a/init.hardware.mpssrfs.rc.user b/init.hardware.mpssrfs.rc.user index ac7bacca..99cb03ab 100644 --- a/init.hardware.mpssrfs.rc.user +++ b/init.hardware.mpssrfs.rc.user @@ -2,3 +2,4 @@ on post-fs-data # Modem Remote FS mkdir /data/vendor/rfs 0700 system system mkdir /data/vendor/rfs/mpss 0700 system system + mkdir /data/vendor/tombstones/rfs 0700 system system diff --git a/init.hardware.mpssrfs.rc.userdebug b/init.hardware.mpssrfs.rc.userdebug index 6abf2e33..5b2de5cc 100644 --- a/init.hardware.mpssrfs.rc.userdebug +++ b/init.hardware.mpssrfs.rc.userdebug @@ -2,6 +2,7 @@ on post-fs-data # Modem Remote FS mkdir /data/vendor/rfs 0700 system system mkdir /data/vendor/rfs/mpss 0700 system system + mkdir /data/vendor/tombstones/rfs 0700 system system write /data/vendor/rfs/mpss/mcfg_nv_list_flag "1" chown system system /data/vendor/rfs/mpss/mcfg_nv_list_flag chmod 0700 /data/vendor/rfs/mpss/mcfg_nv_list_flag diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 0e4e11ed..4d6d6144 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -68,7 +68,6 @@ type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject; type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; type modem_dump_file, file_type, data_file_type; type sensors_vendor_data_file, file_type, data_file_type; - type vendor_firmware_file, vendor_file_type, file_type; #data sysfs files @@ -79,5 +78,6 @@ type sysfs_diag, fs_type, sysfs_type; type hexagon_halide_file, vendor_file_type, file_type; -#mpss rfs files +#rfs files type mpss_rfs_data_file, data_file_type, file_type; +type rfs_tombstone_data_file, data_file_type, file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 86b1de2e..bd9a7e27 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -232,6 +232,7 @@ /data/vendor/ipa(/.*)? u:object_r:ipa_vendor_data_file:s0 /data/vendor/sensors(/.*)? u:object_r:sensors_vendor_data_file:s0 /data/vendor/rfs/mpss(/.*)? u:object_r:mpss_rfs_data_file:s0 +/data/vendor/tombstones/rfs(/.*)? u:object_r:rfs_tombstone_data_file:s0 # / /tombstones u:object_r:rootfs:s0 diff --git a/sepolicy/vendor/rfs_access.te b/sepolicy/vendor/rfs_access.te index 306daefb..1751eef4 100644 --- a/sepolicy/vendor/rfs_access.te +++ b/sepolicy/vendor/rfs_access.te @@ -16,5 +16,7 @@ allow rfs_access persist_rfs_file:dir create_dir_perms; allow rfs_access persist_rfs_file:file create_file_perms; allow rfs_access mpss_rfs_data_file:dir create_dir_perms; allow rfs_access mpss_rfs_data_file:file create_file_perms; +allow rfs_access rfs_tombstone_data_file:dir create_dir_perms; +allow rfs_access rfs_tombstone_data_file:file create_file_perms; allow rfs_access self:socket create_socket_perms_no_ioctl; |