Allow fastbootd to mount /metadata in recovery. It is important that fastbootd is able to mount /metadata in recovery, in order to check whether Virtual A/B snapshots are present. This is enabled on userdebug builds, but currently fails on user builds. Fixes: audit: type=1400 audit(7258310.023:24): avc: denied { mount } for pid=511 comm="fastbootd" name="/" dev="sda15" ino=2 scontext=u:r:fastbootd:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 181097763 Test: fastboot flash on user build Change-Id: I1abeeaa3109e08755a1ba44623a46b12d9bfdedc

commit: 018004d9d1e902468efd10faabc00c5d9f3a40ed [log] [tgz]
author: David Anderson <dvander@google.com> Wed May 05 16:33:48 2021 -0700
committer: David Anderson <dvander@google.com> Wed May 05 16:37:56 2021 -0700
tree: d93775fda7e00c2e56a64a0794302a03e59e44c8
parent: b99176333a287e415880b23253d06f638ea9fc5f [diff] [blame]
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 98eb23c..0174faa 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te

@@ -38,4 +38,7 @@
 
   # Get fastbootd protocol property
   get_prop(fastbootd, fastbootd_protocol_prop)
+
+  # Mount /metadata to interact with Virtual A/B snapshots.
+  allow fastbootd labeledfs:filesystem { mount unmount };
 ')
commit	018004d9d1e902468efd10faabc00c5d9f3a40ed	[log] [tgz]
author	David Anderson <dvander@google.com>	Wed May 05 16:33:48 2021 -0700
committer	David Anderson <dvander@google.com>	Wed May 05 16:37:56 2021 -0700
tree	d93775fda7e00c2e56a64a0794302a03e59e44c8
parent	b99176333a287e415880b23253d06f638ea9fc5f [diff] [blame]