Add /boot files as ramdisk_boot_file.
/boot/etc/build.prop is a file available at first_stage_init to
be moved into /second_stage_resources.
The file is only read by first_stage_init before SELinux is
initialized. No other domains are allowed to read it.
Test: build aosp_hawk
Test: boot and getprop
Bug: 170364317
Change-Id: I0f8e3acc3cbe6d0bae639d2372e1423acfc683c7
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 7db303c..d3bebbb 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -30,6 +30,7 @@
profcollectd_data_file
profcollectd_exec
profcollectd_service
+ ramdisk_boot_file
shell_test_data_file
sysfs_devices_cs_etm
update_engine_stable_service
diff --git a/private/domain.te b/private/domain.te
index 5cc313a..b1f968f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -437,3 +437,6 @@
-vndk_sp_file
}:file *;
')
+
+# Only first_stage_init can read files under /boot.
+neverallow domain ramdisk_boot_file:dir_file_class_set *;
diff --git a/private/file_contexts b/private/file_contexts
index 84fb2a7..e7cc906 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -762,3 +762,7 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# Ramdisk files under /boot
+/boot(/.*)? u:object_r:ramdisk_boot_file:s0
diff --git a/public/file.te b/public/file.te
index 3d10999..b9b5fef3 100644
--- a/public/file.te
+++ b/public/file.te
@@ -560,3 +560,6 @@
# Should be:
# type apk_data_file, file_type, data_file_type;
neverallow fs_type file_type:filesystem associate;
+
+# /boot
+type ramdisk_boot_file, file_type;
diff --git a/public/init.te b/public/init.te
index f84bacb..077816f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -179,6 +179,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-system_app_data_file
-system_file_type
-vendor_file_type
@@ -193,6 +194,7 @@
-keystore_data_file
-misc_logd_file
-nativetest_data_file
+ -ramdisk_boot_file
-privapp_data_file
-shell_data_file
-system_app_data_file
@@ -213,6 +215,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-runtime_event_log_tags_file
-shell_data_file
-system_app_data_file
@@ -232,6 +235,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -251,6 +255,7 @@
-misc_logd_file
-nativetest_data_file
-privapp_data_file
+ -ramdisk_boot_file
-shell_data_file
-system_app_data_file
-system_file_type
@@ -267,6 +272,7 @@
-exec_type
-app_data_file
-privapp_data_file
+ -ramdisk_boot_file
}:dir_file_class_set relabelto;
allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0bdf632..c729370 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -52,6 +52,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-unlabeled
-vendor_file_type
-vold_metadata_file
@@ -68,6 +69,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-runtime_event_log_tags_file
-system_file_type
-unlabeled
@@ -85,6 +87,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -101,6 +104,7 @@
-exec_type
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-unlabeled
-vendor_file_type
@@ -117,6 +121,7 @@
-mnt_product_file
-password_slot_metadata_file
-ota_metadata_file
+ -ramdisk_boot_file
-system_file_type
-vendor_file_type
-vold_metadata_file