Skip to content
Snippets Groups Projects
Commit fcd86911 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

allow init fs_type:dir search

We allow chmod/chown of files / directories by init, but don't allow
init to search into subdirectories. Feels wrong.

Addresses the following denial:

  avc:  denied  { search } for  pid=1 comm="init" name="/" dev="pstore" ino=5570 scontext=u:r:init:s0 tcontext=u:object_r:pstorefs:s0 tclass=dir permissive=1

which results from the following init.rc statement:

  # pstore/ramoops previous console log
  mount pstore pstore /sys/fs/pstore
  chown system log /sys/fs/pstore/console-ramoops
  chmod 0440 /sys/fs/pstore/console-ramoops
  chown system log /sys/fs/pstore/pmsg-ramoops-0
  chmod 0440 /sys/fs/pstore/pmsg-ramoops-0

Bug: 19050686
Change-Id: I0528ecb17686891b66262de1f3c229cc68a56830
parent b00a0379
No related branches found
No related tags found
No related merge requests found
......@@ -91,7 +91,8 @@ allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
# chown/chmod on pseudo files.
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:{ dir file } { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# chown/chmod on devices.
allow init { dev_type -kmem_device }:chr_file { read open setattr };
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment