Move mtectrl to private
Because mtectrl is a system internal domain, and we don't need to expose
the type to vendor.
Test: build and boot
Change-Id: Idb5c4a4c6f175e338722971944bf08ba99835476
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index ffd148f..da6876e 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -40,7 +40,6 @@
hal_wifi_supplicant_service
locale_service
mdns_service
- mtectrl
nearby_service
proc_watermark_boost_factor
proc_watermark_scale_factor
diff --git a/private/domain.te b/private/domain.te
index b193330..988bd56 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -112,6 +112,26 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Limit ability to ptrace or read sensitive /proc/pid files of processes
# with other UIDs to these allowlisted domains.
neverallow {
diff --git a/private/mtectrl.te b/private/mtectrl.te
index a89edda..436dcae 100644
--- a/private/mtectrl.te
+++ b/private/mtectrl.te
@@ -1,4 +1,5 @@
# mtectrl is a tool to request MTE (Memory Tagging Extensions) from the bootloader.
+type mtectrl, domain, coredomain;
type mtectrl_exec, system_file_type, exec_type, file_type;
init_daemon_domain(mtectrl)