From 314d8c5801a47523f18eb703205183f8fdd0068b Mon Sep 17 00:00:00 2001
From: Max <jbires@google.com>
Date: Tue, 29 Nov 2016 16:23:02 -0800
Subject: [PATCH] Added an auditallow rule to track vold remounting
 filesystems.

Vold shouldn't have this selinux permission, so this will be left in for
a few weeks to keep track of if removing it would be an issue to any
other processes. If not, then a follow-up CL will remove both the rule
and the auditallow

Test: This CL is a test in itself, auditallow rules shouldn't change
behavior of SELinux policy by themselves
Bug: 26901147
Change-Id: Ib076448863bd54278df59a3b514c9e877eb22ee5
---
 public/vold.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/public/vold.te b/public/vold.te
index 3ebb1d2fd..fe3ab7199 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -94,6 +94,9 @@ allow vold ion_device:chr_file r_file_perms;
 
 # Unmount and mount the fs.
 allow vold labeledfs:filesystem { mount unmount remount };
+# audit any attempts of vold to remount a filesystem, monitor in a few weeks
+# then remove
+auditallow vold labeledfs:filesystem { remount };
 
 # Access /efs/userdata_footer.
 # XXX Split into a separate type?
-- 
GitLab