Skip to content
Snippets Groups Projects
Commit d5cdca08 authored by Tianjie Xu's avatar Tianjie Xu
Browse files

Allow update_verifier to read dm blocks 

Update_verifier will read dm-wrapped system/vendor partition. Therefore,
change the sepolicy accordingly.

Here's the denied message:
update_verifier: type=1400 audit(0.0:131): avc: denied { read } for
name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0
tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0

Bug: 34391662
Test: Read of /dev/block/dm-0 succeeds during boot time.
Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1
parent 606d2fd6
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
public/update_verifier.te
+ 2
2
View file @ d5cdca08
...@@ -13,8 +13,8 @@ allow update_verifier block_device:dir search; ...@@ -13,8 +13,8 @@ allow update_verifier block_device:dir search;
allow update_verifier ota_package_file:dir r_dir_perms; allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms; allow update_verifier ota_package_file:file r_file_perms;
# Read all blocks in system partition. # Read all blocks in dm wrapped system partition.
allow update_verifier system_block_device:blk_file r_file_perms; allow update_verifier dm_device:blk_file r_file_perms;
# Use binderized HAL # Use binderized HAL
hwbinder_use(update_verifier) hwbinder_use(update_verifier)
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment