Allow fastbootd to mount /metadata in recovery.
It is important that fastbootd is able to mount /metadata in recovery, in
order to check whether Virtual A/B snapshots are present. This is
enabled on userdebug builds, but currently fails on user builds.
Fixes:
audit: type=1400 audit(7258310.023:24): avc: denied { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0
Bug: 181097763
Test: fastboot flash on user build
Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc
diff --git a/private/domain.te b/private/domain.te
index 5d8d960..b91d36d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -359,7 +359,7 @@
neverallow {
domain
-apexd
- recovery_only(`userdebug_or_eng(`-fastbootd')')
+ recovery_only(`-fastbootd')
-init
-kernel
-otapreopt_chroot
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 98eb23c..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -38,4 +38,7 @@
# Get fastbootd protocol property
get_prop(fastbootd, fastbootd_protocol_prop)
+
+ # Mount /metadata to interact with Virtual A/B snapshots.
+ allow fastbootd labeledfs:filesystem { mount unmount };
')
diff --git a/public/fastbootd.te b/public/fastbootd.te
index 72ba65c..e167a5e 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -48,7 +48,7 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd metadata_file:dir { search getattr mounton };
allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
allow fastbootd gsi_metadata_file_type:file create_file_perms;
@@ -97,7 +97,6 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- allow fastbootd labeledfs:filesystem { mount unmount };
# Fetch vendor_boot partition
allow fastbootd boot_block_device:blk_file r_file_perms;
')