Allow sysfs_dm in fsck.f2fs
Commit ea9921f4f5b9 ("f2fs-tools: support zoned device in Android") in
f2fs-tools supports zoned device in Android. When detecting the disk
supports zoned device with proper types, we need to access its sysfs
entry. Note that, we need to check sysfs entries by default for
non-zoned disks in general as well.
If a product doesn't use metadata encryption which sets a device mapper, vendor
selinux needs to allow sysfs entries for raw disks such as sysfs_scsi_devices or
sysfs_devices_block.
avc: denied { search } for comm="fsck.f2fs" name="dm-44" dev="sysfs" ino=82102 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=dir permissive=0
avc: denied { read } for comm="fsck.f2fs" name="zoned" dev="sysfs" ino=82333 scontext=u:r:fsck:s0 tcontext=u:object_r:sysfs_dm:s0 tclass=file permissive=0
Bug: 172377740
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Iaa4dc9826b614b71b928c33ebc207afab96e586a
diff --git a/public/fsck.te b/public/fsck.te
index 1fb5d0d..25537be 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -48,8 +48,10 @@
allow fsck {
proc_mounts
proc_swaps
+ sysfs_dm
}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
+allow fsck sysfs_dm:dir r_dir_perms;
###
### neverallow rules