Merge "Give fastbootd permission to mount and write to /metadata/gsi."

commit: 3914147f3ac4e608ffbcc27630e3fde7ce1427b5 [log] [tgz]
author: Yifan Hong <elsk@google.com> Wed Jan 15 01:31:59 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Jan 15 01:31:59 2020 +0000
tree: e3a64c4aed72f97ed8ce99892588de8db7470f9f
parent: 184fe45549da14b48b36f4b89b0abc1e34ff60c9 [diff]
parent: 11a741961a377ec919beed314269ea22b118bcf9 [diff]
diff --git a/public/fastbootd.te b/public/fastbootd.te
index f08885a..3ab489b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te

@@ -53,12 +53,13 @@
     userdata_block_device
   }:blk_file { w_file_perms getattr ioctl };
 
-  # For disabling/wiping GSI.
+  # For disabling/wiping GSI, and for modifying/deleting files created via
+  # libfiemap.
   allow fastbootd metadata_block_device:blk_file r_file_perms;
   allow fastbootd {rootfs tmpfs}:dir mounton;
-  allow fastbootd metadata_file:dir search;
-  allow fastbootd gsi_metadata_file:dir r_dir_perms;
-  allow fastbootd gsi_metadata_file:file rw_file_perms;
+  allow fastbootd metadata_file:dir { search getattr };
+  allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+  allow fastbootd gsi_metadata_file:file create_file_perms;
 
   allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
commit	3914147f3ac4e608ffbcc27630e3fde7ce1427b5	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Wed Jan 15 01:31:59 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed Jan 15 01:31:59 2020 +0000
tree	e3a64c4aed72f97ed8ce99892588de8db7470f9f
parent	184fe45549da14b48b36f4b89b0abc1e34ff60c9 [diff]
parent	11a741961a377ec919beed314269ea22b118bcf9 [diff]