From d5cdca08c784993bda0c25047676f3306552a6f1 Mon Sep 17 00:00:00 2001
From: Tianjie Xu <xunchang@google.com>
Date: Thu, 19 Jan 2017 17:41:02 -0800
Subject: [PATCH] Allow update_verifier to read dm blocks

Update_verifier will read dm-wrapped system/vendor partition. Therefore,
change the sepolicy accordingly.

Here's the denied message:
update_verifier: type=1400 audit(0.0:131): avc: denied { read } for
name="dm-0" dev="tmpfs" ino=15493 scontext=u:r:update_verifier:s0
tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0

Bug: 34391662
Test: Read of /dev/block/dm-0 succeeds during boot time.
Change-Id: I23325bd92f6e28e9b1d62a0f2348837cece983d1
---
 public/update_verifier.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/public/update_verifier.te b/public/update_verifier.te
index 5ee525839..848215945 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -13,8 +13,8 @@ allow update_verifier block_device:dir search;
 allow update_verifier ota_package_file:dir r_dir_perms;
 allow update_verifier ota_package_file:file r_file_perms;
 
-# Read all blocks in system partition.
-allow update_verifier system_block_device:blk_file r_file_perms;
+# Read all blocks in dm wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
 
 # Use binderized HAL
 hwbinder_use(update_verifier)
-- 
GitLab