diff options
author | Tao Bao <tbao@google.com> | 2016-02-09 14:12:58 -0800 |
---|---|---|
committer | Tao Bao <tbao@google.com> | 2016-02-09 15:16:46 -0800 |
commit | 3ec34ceb43b15c30e9c7bf1720ebea24f868d07a (patch) | |
tree | a151071b0bad0422d9b3b5c2ebcc76964391b13c | |
parent | bd0768cc93e6c934ccec62e521228fecddb5d61b (diff) | |
download | sepolicy-3ec34ceb43b15c30e9c7bf1720ebea24f868d07a.tar.gz |
update_engine: Allow to access bootctrl_block_device.
update_engine needs to access bootctrl_block_device to get and set the slot to boot.
avc: denied { write } for name="mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/mmcblk0boot1" dev="tmpfs" ino=1266 scontext=u:r:update_engine:s0 tcontext=u:object_r:bootctrl_block_device:s0 tclass=blk_file
Also track the name change of the native binder service.
avc: denied { add } for service=android.os.UpdateEngineService pid=210 uid=0 scontext=u:r:update_engine:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager
Bug: 27106053
Change-Id: Idbfef18578489db33fead0721e8f26d63db5ce09
-rw-r--r-- | service_contexts | 2 | ||||
-rw-r--r-- | update_engine.te | 3 |
2 files changed, 4 insertions, 1 deletions
diff --git a/service_contexts b/service_contexts index 4116383..5cab2d3 100644 --- a/service_contexts +++ b/service_contexts @@ -2,7 +2,7 @@ accessibility u:object_r:accessibility_service:s0 account u:object_r:account_service:s0 activity u:object_r:activity_service:s0 alarm u:object_r:alarm_service:s0 -android.os.IUpdateEngine u:object_r:update_engine_service:s0 +android.os.UpdateEngineService u:object_r:update_engine_service:s0 android.security.keystore u:object_r:keystore_service:s0 android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 appops u:object_r:appops_service:s0 diff --git a/update_engine.te b/update_engine.te index 3fbfd8a..39b9936 100644 --- a/update_engine.te +++ b/update_engine.te @@ -33,3 +33,6 @@ allow update_engine update_engine_service:service_manager { add }; # Allow update_engine to call the callback function provided by priv_app. binder_call(update_engine, priv_app) + +# Allow read/write bootctrl block device. +allow update_engine bootctrl_block_device:blk_file rw_file_perms; |