Skip to content
Snippets Groups Projects
Commit c287032f authored by Bowgo Tsai's avatar Bowgo Tsai
Browse files

Sepolicy for rw mount point for product extensions.

Bug: 110808288
Test: device boots with /mnt/product present and selinux label
      mnt_product_file applied correctly.

Change-Id: I596e4b79285fe1a79d31ad1b07f4bcffe6a6cd98
parent ff91d5d6
No related branches found
No related tags found
No related merge requests found
...@@ -82,6 +82,7 @@ ...@@ -82,6 +82,7 @@
mediaextractor_update_service mediaextractor_update_service
mediaprovider_tmpfs mediaprovider_tmpfs
metadata_file metadata_file
mnt_product_file
mnt_vendor_file mnt_vendor_file
netd_stable_secret_prop netd_stable_secret_prop
network_watchlist_data_file network_watchlist_data_file
......
...@@ -68,6 +68,7 @@ ...@@ -68,6 +68,7 @@
lowpan_service lowpan_service
mediaextractor_update_service mediaextractor_update_service
metadata_file metadata_file
mnt_product_file
mnt_vendor_file mnt_vendor_file
network_watchlist_data_file network_watchlist_data_file
network_watchlist_service network_watchlist_service
......
...@@ -542,3 +542,7 @@ ...@@ -542,3 +542,7 @@
############################# #############################
# mount point for read-write vendor partitions # mount point for read-write vendor partitions
/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0 /mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
...@@ -1400,3 +1400,9 @@ full_treble_only(` ...@@ -1400,3 +1400,9 @@ full_treble_only(`
-appdomain -appdomain
} vendor_public_lib_file:file { execute execute_no_trans }; } vendor_public_lib_file:file { execute execute_no_trans };
') ')
# Vendor domian must not have access to /mnt/product.
neverallow {
domain
-coredomain
} mnt_product_file:dir *;
...@@ -237,6 +237,9 @@ type storage_stub_file, file_type; ...@@ -237,6 +237,9 @@ type storage_stub_file, file_type;
# Mount location for read-write vendor partitions. # Mount location for read-write vendor partitions.
type mnt_vendor_file, file_type; type mnt_vendor_file, file_type;
# Mount location for read-write product partitions.
type mnt_product_file, file_type;
# /postinstall: Mount point used by update_engine to run postinstall. # /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type; type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file. # Files inside the /postinstall mountpoint are all labeled as postinstall_file.
......
...@@ -42,6 +42,7 @@ allow vendor_init { ...@@ -42,6 +42,7 @@ allow vendor_init {
-core_data_file_type -core_data_file_type
-exec_type -exec_type
-system_file -system_file
-mnt_product_file
-unlabeled -unlabeled
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
...@@ -82,6 +83,7 @@ allow vendor_init { ...@@ -82,6 +83,7 @@ allow vendor_init {
file_type file_type
-core_data_file_type -core_data_file_type
-exec_type -exec_type
-mnt_product_file
-system_file -system_file
-vendor_file_type -vendor_file_type
-vold_metadata_file -vold_metadata_file
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment