Merge "Allow init to relabel rootfs files."

2e14164c · Nick Kralevich · Gerrit Code Review · 67d1f1ec · c626a882 · 2e14164c
Commit 2e14164c authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -278,7 +278,7 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };

 # Nothing should be writing to files in the rootfs.
-neverallow domain rootfs:file { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };

 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.

--- a/init.te
+++ b/init.te
@@ -28,6 +28,9 @@ allow init contextmount_type:filesystem relabelto;
 allow init contextmount_type:dir r_dir_perms;
 allow init contextmount_type:notdevfile_class_set r_file_perms;

+# restorecon /adb_keys or any other rootfs files to a more specific type.
+allow init rootfs:file relabelfrom;
+
 # restorecon and restorecon_recursive calls from init.rc files.
 # system/core/init.rc requires at least cache_file and data_file_type.
 # init.<board>.rc files often include device-specific types, so