From e244f2d3552b312d600b8f08cff33789c1d32894 Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Thu, 23 Jul 2015 21:01:13 -0700
Subject: [PATCH] Allow init to mount filesystems on properly labeled folders

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
---
 domain.te | 3 ++-
 init.te   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 23dabf58e..87422de98 100644
--- a/domain.te
+++ b/domain.te
@@ -327,7 +327,8 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow { domain -recovery } rootfs:file { create write setattr relabelto append unlink link rename };
diff --git a/init.te b/init.te
index 9fdfd222a..e81a6124f 100644
--- a/init.te
+++ b/init.te
@@ -43,7 +43,7 @@ allow init self:capability sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
-- 
GitLab