From d1f8f731ea5c35316c8349c31ff9723e52ba7e52 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 21 Jan 2016 09:46:58 -0800
Subject: [PATCH] vold: allow execute cp and rm

Used in system/vold/MoveTask.cpp

Addresses:
avc: denied { execute } for name="toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { read open } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
avc: denied { execute_no_trans } for path="/system/bin/toolbox" dev="mmcblk0p29" ino=359 scontext=u:r:vold:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1

Change-Id: I2eb6288aaed510ae5be0f3605088ace6b865ef83
---
 vold.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/vold.te b/vold.te
index e7996e162..841653168 100644
--- a/vold.te
+++ b/vold.te
@@ -168,6 +168,9 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold sysfs_zram:dir r_dir_perms;
 allow vold sysfs_zram_uevent:file rw_file_perms;
 
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
-- 
GitLab