From fd7da7b2a73c4e652ac1d90caebfa4c1e735a35a Mon Sep 17 00:00:00 2001
From: Tri Vo <trong@google.com>
Date: Tue, 3 Oct 2017 16:09:08 -0700
Subject: [PATCH] Move update_engine rules out of update_engine_common.te
Grant update_engine access to sysfs.
Ran fake ota go/manual-ab-ota, and this denial was fixed:
avc: denied { read } for pid=912 comm="update_engine" name="compatible"
dev="sysfs" ino=17399 scontext=u:r:update_engine:s0
tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
Test: boots with no new denials
Change-Id: I8697da3af254aea1cec44d9dbb1eca18be31859c
---
public/update_engine.te | 10 ++++++++++
public/update_engine_common.te | 10 ----------
2 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/public/update_engine.te b/public/update_engine.te
index b8f0035bd..f67afc28d 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -39,3 +39,13 @@ allow update_engine ota_package_file:dir r_dir_perms;
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc and /proc/sys/kernel/random/boot_id
+allow update_engine proc:file r_file_perms;
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
+
+# Read files in /sys
+r_dir_file(update_engine, sysfs)
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 7680e07da..61d393a26 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -37,13 +37,3 @@ allow update_engine_common shell_exec:file rx_file_perms;
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/misc and /proc/sys/kernel/random/boot_id
-allow update_engine proc:file r_file_perms;
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs)
--
GitLab