From 597be44e9628eea56724e0ec576eebc2f0224d2a Mon Sep 17 00:00:00 2001
From: Joel Galenson <jgalenson@google.com>
Date: Mon, 14 May 2018 13:08:46 -0700
Subject: [PATCH] Allow vendor_init to getattr vold_metadata_file.

This relaxes the neverallow rule blocking vendor_init from doing
anything to vold_metadata_file.  The rules above it still prevent it
from doing anything other than relabelto and getattr.

Bug: 79681561
Test: Boot device and see no denials.
Change-Id: I1beb25bb9f8d69323c9fee53a140c2a084b12124
---
 prebuilts/api/28.0/public/vold.te | 1 +
 public/vold.te                    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te
index 0b0c7663b..131f555d4 100644
--- a/prebuilts/api/28.0/public/vold.te
+++ b/prebuilts/api/28.0/public/vold.te
@@ -244,6 +244,7 @@ neverallow {
     domain
     -init
     -kernel
+    -vendor_init
     -vold
     -vold_prepare_subdirs
 } { vold_data_file vold_metadata_file }:notdevfile_class_set *;
diff --git a/public/vold.te b/public/vold.te
index 0b0c7663b..131f555d4 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -244,6 +244,7 @@ neverallow {
     domain
     -init
     -kernel
+    -vendor_init
     -vold
     -vold_prepare_subdirs
 } { vold_data_file vold_metadata_file }:notdevfile_class_set *;
-- 
GitLab