Skip to content
Snippets Groups Projects
Commit 8188830e authored by Jeff Sharkey's avatar Jeff Sharkey
Browse files

sgdisk: devpts and reload partition tables.

Add rules to let sgdisk read/write to pts when forked from vold.

avc: denied { read write } for path="/dev/pts/14" dev="devpts" ino=17 scontext=u:r:sgdisk:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0

Also add rule to let it kick kernel to reload partition tables after
we finish editing them.  Without this capability, it leaves this
message and violation:

Warning: The kernel is still using the old partition table.
The new table will be used at the next reboot.
GPT data structures destroyed! You may now partition the disk using fdisk or
other utilities.

avc: denied { sys_admin } for capability=21 scontext=u:r:sgdisk:s0 tcontext=u:r:sgdisk:s0 tclass=capability permissive=0

Change-Id: If26a40f9fd3b1ab2c50156ae8bdb128676521b57
parent 5a5b364c
No related branches found
No related tags found
No related merge requests found
...@@ -6,10 +6,16 @@ type sgdisk_exec, exec_type, file_type; ...@@ -6,10 +6,16 @@ type sgdisk_exec, exec_type, file_type;
allow sgdisk block_device:dir search; allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file rw_file_perms; allow sgdisk vold_device:blk_file rw_file_perms;
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold # Allow stdin/out back to vold
allow sgdisk vold:fd use; allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr }; allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
allow sgdisk self:capability sys_admin;
# Only allow entry from vold # Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition; neverallow { domain -vold } sgdisk:process transition;
neverallow domain sgdisk:process dyntransition; neverallow domain sgdisk:process dyntransition;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment