-
Tianjie Xu authored
Grant update_verifier the permissions to read /data/ota_package/ and the blocks on system partition. The denial messages: update_verifier: type=1400 audit(0.0:29): avc: denied { read } for name="care_map.txt" dev="sda35" ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:30): avc: denied { open } for path="/data/ota_package/care_map.txt" dev="sda35" ino=1368066 scontext=u:r:update_verifier:s0 tcontext=u:object_r:ota_package_file:s0 tclass=file permissive=1 update_verifier: type=1400 audit(0.0:31): avc: denied { read } for name="sda33" dev="tmpfs" ino=5613 scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 update_verifier: type=1400 audit(0.0:32): avc: denied { open } for path="/dev/block/sda33" dev="tmpfs" ino=5613 scontext=u:r:update_verifier:s0 tcontext=u:object_r:system_block_device:s0 tclass=blk_file permissive=1 Test: On sailfish, update_verifier reads the blocks successfully during boot time. Bug: 30020920 Change-Id: I10777c1e6ba649b82c4a73171124742edeb059975d8d2dc9
update_verifier.te 567 B
# update_verifier
# update_verifier uses the boot_control_hal.
type update_verifier, domain, boot_control_hal;
type update_verifier_exec, exec_type, file_type;
init_daemon_domain(update_verifier)
# Allow update_verifier to reach block devices in /dev/block.
allow update_verifier block_device:dir search;
# Read care map in /data/ota_package/.
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;
# Read all blocks in system partition.
allow update_verifier system_block_device:blk_file r_file_perms;