Add rules for calling ReadDefaultFstab()
Grant ReadDefaultFstab() callers
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
allow scontext gsi_public_metadata_file:file r_file_perms;
so they can search / read DSU metadata files.
The DSU metadata files are required to deduce the correct fstab.
Also tighten the neverallow rules in gsid.te.
Bug: 181110285
Test: Build pass, presubmit test
Test: Boot and check avc denials
Test: Boot with DSU and check avc denials
Change-Id: Ie464b9a8f7a89f9cf8f4e217dad1322ba3ad0633
diff --git a/private/gsid.te b/private/gsid.te
index fb40528..e6a395a 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -166,8 +166,6 @@
-init
-gsid
-fastbootd
- -recovery
- -vold
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
@@ -175,7 +173,6 @@
-init
-gsid
-fastbootd
- -vold
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
@@ -183,7 +180,6 @@
-init
-gsid
-fastbootd
- -vold
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
@@ -193,15 +189,7 @@
domain
-init
-gsid
-} gsi_data_file:dir *;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
- -vold
-} gsi_data_file:file_class_set *;
+} gsi_data_file:dir_file_class_set *;
neverallow {
domain