Allowing vold to search /mnt/vendor/*

vold will trim rw mount points about daily, but it is denied by SELinux: root 603 603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied { search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 Allowing vold to search /mnt/vendor/* to fix the denials. Note that device-specific sepolicy needs to be extended to allow vold to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs: allow vold persist_file:dir { ioctl open read }; Bug: 111409607 Test: boot a device, checks the above denial is gone Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad

Allowing vold to search /mnt/vendor/*
vold will trim rw mount points about daily, but it is denied by SELinux: root 603 603 W Binder:603_2: type=1400 audit(0.0:11): avc: denied { search } for name="vendor" dev="tmpfs" ino=23935 scontext=u:r:vold:s0 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 Allowing vold to search /mnt/vendor/* to fix the denials. Note that device-specific sepolicy needs to be extended to allow vold to send FITRIM ioctl. e.g., for /mnt/vendor/persist, it needs: allow vold persist_file:dir { ioctl open read }; Bug: 111409607 Test: boot a device, checks the above denial is gone Change-Id: Ia9f22d973e5a2e295678781de49a0f61fccd9dad
7b67a617 · Bowgo Tsai · 32809859 · 7b67a617 · 7b67a617
Commit 7b67a617 authored 6 years ago by Bowgo Tsai
--- a/public/domain.te
+++ b/public/domain.te
@@ -1391,6 +1391,7 @@ neverallow {
  coredomain
  -init
  -ueventd
+  -vold
 } mnt_vendor_file:dir *;
 # Only apps are allowed access to vendor public libraries.

--- a/public/vold.te
+++ b/public/vold.te
@@ -213,6 +213,9 @@ allow vold user_profile_data_file:dir create_dir_perms;
 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
 neverallow {
    domain
    -vold