From f35006089a3255d29a2edaea23c578d2e3bc67cc Mon Sep 17 00:00:00 2001
From: Daniel Rosenberg <drosen@google.com>
Date: Thu, 23 Jul 2015 21:01:13 -0700
Subject: [PATCH] Allow init to mount filesystems on properly labeled folders

Change-Id: I08aaf89e2ef23f9528d107a1c9d66c1c9979b3ac
---
 domain.te | 3 ++-
 init.te   | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 0f6c6dac3..c6898ba9a 100644
--- a/domain.te
+++ b/domain.te
@@ -312,7 +312,8 @@ neverallow { domain -recovery } { system_file exec_type }:dir_file_class_set
 neverallow { domain -recovery -kernel } { system_file exec_type }:dir_file_class_set relabelto;
 
 # Don't allow mounting on top of /system files or directories
-neverallow domain { system_file exec_type }:dir_file_class_set mounton;
+neverallow domain exec_type:dir_file_class_set mounton;
+neverallow { domain -init } system_file:dir_file_class_set mounton;
 
 # Nothing should be writing to files in the rootfs.
 neverallow domain rootfs:file { create write setattr relabelto append unlink link rename };
diff --git a/init.te b/init.te
index 41eafe262..1a60e2746 100644
--- a/init.te
+++ b/init.te
@@ -43,7 +43,7 @@ allow init self:capability sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init rootfs:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
-- 
GitLab