Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 0e15f2d9c567df45c28d6b1e856c4c31c749974e^! / . / microdroid / system
commit0e15f2d9c567df45c28d6b1e856c4c31c749974e[log] [tgz]
authorNate Myren <ntmyren@google.com>Tue Aug 15 16:41:17 2023 -0700
committerNate Myren <ntmyren@google.com>Mon Oct 23 18:34:12 2023 +0000
tree38cea72fcf6878a69eadf1e6a7fdb47ef064b57c
parent3a102a13f384ce20b128622bc7d5758fc2ef9565 [diff]
Add appcompat override files and contexts to SELinux

This also allows the zygote to bind mount the system properties

Bug: 291814949
Test: manual
Change-Id: Ie5540faaf3508bc2d244c952904838d56aa67434

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index e483237..046f20f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -72,7 +72,9 @@
 /dev/vsock		u:object_r:vsock_device:s0
 /dev/zero		u:object_r:zero_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/appcompat_override u:object_r:properties_device:s0
 /dev/__properties__/property_info   u:object_r:property_info:s0
+/dev/__properties__/appcompat_override/property_info   u:object_r:property_info:s0
 #############################
 # Linker configuration
 #

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 2dbf495..57452a0 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te

@@ -32,11 +32,11 @@
 # /dev/__null__ node created by init.
 allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
 
-# /dev/__properties__
+# /dev/__properties__ and /dev/__properties__/appcompat_override
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
+# /dev/__properties__/property_info and /dev/__properties__/appcompat_override/property_info
 allow init properties_device:file create_file_perms;
 allow init property_info:file relabelto;
 # /dev/socket