Create sysfs_dm label. am: 5b4bea438a am: 28dca27ba2 am: a35083e015
am: 29c909ff34
Change-Id: Iba58bad1f82fbbb2221fbdb007a5c10d83925dfa
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 721d27e..d78f6ac 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -565,7 +565,7 @@
(typeattributeset surfaceflinger_26_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_26_0 (sysfs sysfs_dm))
(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6a95ffb..563da5d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -62,6 +62,7 @@
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
diff --git a/public/file.te b/public/file.te
index 8dbfd3b..4aca188 100644
--- a/public/file.te
+++ b/public/file.te
@@ -47,6 +47,7 @@
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 6bba17b..5d20eca 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -9,7 +9,16 @@
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;
-# Read all blocks in dm wrapped system partition.
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
# Write to kernel message.
diff --git a/public/vold.te b/public/vold.te
index a569f9e..71932df 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -12,6 +12,7 @@
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms;
+allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;