From 1e17dafc6d6b18b963913e8a4082ae1d2c3c47ac Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Wed, 22 Jun 2016 12:16:47 -0700
Subject: [PATCH] update_verifier: Allow searching /dev/block.

update_verifier calls bootcontrol HAL to mark the currently booting slot
as successfully booted.

avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0
avc: denied { search } for name="block" dev="tmpfs" scontext=u:r:update_verifier:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=0

Bug: 29569601
Test: Device boots up with no update_verifier denials and 'bootctl is-slot-marked-successful 0' returns 0.
Change-Id: I1baa7819bc829e3c4b83d7168008a5b06b01cc9f
---
 update_verifier.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/update_verifier.te b/update_verifier.te
index 65438d342..d42c81fc2 100644
--- a/update_verifier.te
+++ b/update_verifier.te
@@ -5,4 +5,7 @@ type update_verifier_exec, exec_type, file_type;
 
 init_daemon_domain(update_verifier)
 
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
 # TODO: Add rules to allow update_verifier to read system_block_device.
-- 
GitLab