Merge "Add sepolicy for installd check sdcardfs usage property"
diff --git a/Android.bp b/Android.bp
index d47c850..15adf7e 100644
--- a/Android.bp
+++ b/Android.bp
@@ -795,32 +795,9 @@
// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
// contains system/sepolicy/public and system/sepolicy/vendor.
-// TODO(b/33691272): update se_build_files to cover this hard-coded srcs
se_policy_conf {
name: "microdroid_vendor_sepolicy.conf",
- srcs: [
- // The order here is important
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "public/global_macros",
- "public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "public/te_macros",
- "public/attributes",
- "public/ioctl_defines",
- "public/ioctl_macros",
- "public/*.te",
- "reqd_mask/*.te",
- "vendor/*.te",
- "reqd_mask/roles_decl",
- "public/roles",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
- ],
+ srcs: [":se_build_files{.plat_vendor}"],
installable: false,
}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 1704366..88c07fa 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -188,4 +188,12 @@
// reqd_mask is needed for public policies
b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
}
+
+ // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
+ // - system/sepolicy/public
+ // - system/sepolicy/reqd_mask
+ // - system/sepolicy/vendor
+ // This is for minimized vendor partition, e.g. microdroid's vendor
+ platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
}
diff --git a/private/apexd.te b/private/apexd.te
index 44e38b6..b94970b 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -183,3 +183,9 @@
# only apexd can write apex-info-list.xml
neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
+
+# Allow for use in postinstall
+allow apexd otapreopt_chroot:fd use;
+allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
+allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 2a827d8..2104f76 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -50,6 +50,7 @@
hal_health_storage_service
hal_memtrack_service
hal_oemlock_service
+ hint_service
gnss_device
hal_dumpstate_config_prop
hal_gnss_service
@@ -72,6 +73,7 @@
mediatuner_service
mediatuner
mediatranscoding_tmpfs
+ memtrackproxy_service
music_recognition_service
nfc_logs_data_file
odrefresh
@@ -82,6 +84,10 @@
pac_proxy_service
people_service
persist_vendor_debug_wifi_prop
+ postinstall_dexopt_exec
+ postinstall_device_mnt_dir
+ postinstall_product_mnt_dir
+ postinstall_vendor_mnt_dir
power_debug_prop
power_stats_service
proc_kallsyms
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 71960d3..caa6058 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -4,6 +4,9 @@
type derive_classpath_exec, system_file_type, exec_type, file_type;
init_daemon_domain(derive_classpath)
+# Read /apex
+allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+
# Create /data/system/environ/classpath file
allow derive_classpath environ_system_data_file:dir rw_dir_perms;
allow derive_classpath environ_system_data_file:file create_file_perms;
diff --git a/private/domain.te b/private/domain.te
index 94bd059..543a784 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -485,3 +485,7 @@
# (Every domain is allowed self:fork, so this will trigger if the
# intsersection of domain & mlsvendorcompat is not empty.)
neverallow domain mlsvendorcompat:process fork;
+
+# Only init and otapreopt_chroot should be mounting filesystems on locations
+# labeled system or vendor (/product and /vendor respectively).
+neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
diff --git a/private/file_contexts b/private/file_contexts
index d5d773c..4daf401 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -27,13 +27,15 @@
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+# Postinstall directories
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
+
/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
# Symlinks
@@ -797,3 +799,9 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
+
+#############################
+# /postinstall file contexts
+/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
+/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/private/gsid.te b/private/gsid.te
index fb40528..e6a395a 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -166,8 +166,6 @@
-init
-gsid
-fastbootd
- -recovery
- -vold
} gsi_metadata_file_type:dir no_w_dir_perms;
neverallow {
@@ -175,7 +173,6 @@
-init
-gsid
-fastbootd
- -vold
} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
neverallow {
@@ -183,7 +180,6 @@
-init
-gsid
-fastbootd
- -vold
} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
# Prevent apps from accessing gsi_metadata_file_type.
@@ -193,15 +189,7 @@
domain
-init
-gsid
-} gsi_data_file:dir *;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
- -vold
-} gsi_data_file:file_class_set *;
+} gsi_data_file:dir_file_class_set *;
neverallow {
domain
diff --git a/private/incidentd.te b/private/incidentd.te
index 70e1187..a574eee 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -22,6 +22,9 @@
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
+# section id 1116, allow accessing statsd socket
+unix_socket_send(incidentd, statsdw, statsd)
+
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 84fde67..2688102 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,4 +19,9 @@
# Allow linkerconfig to read apex-info-list.xml
allow linkerconfig apex_info_file:file r_file_perms;
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index a264be7..9f5f87e 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -16,12 +16,7 @@
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-
-# Triggered when lpdumpd tries to read default fstab.
-dontaudit lpdumpd metadata_file:dir r_dir_perms;
-dontaudit lpdumpd metadata_file:file r_file_perms;
-dontaudit lpdumpd gsi_metadata_file_type:dir r_dir_perms;
-dontaudit lpdumpd gsi_metadata_file_type:file r_file_perms;
+read_fstab(lpdumpd)
### Neverallow rules
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index 529dba3..ea9d4ee 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,10 +1,18 @@
# otapreopt_chroot executable
-type otapreopt_chroot, domain, coredomain;
-type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
+typeattribute otapreopt_chroot coredomain;
+type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot apex_mnt_dir:dir mounton;
+allow otapreopt_chroot device:dir mounton;
+allow otapreopt_chroot linkerconfig_file:dir mounton;
+allow otapreopt_chroot rootfs:dir mounton;
+allow otapreopt_chroot sysfs:dir mounton;
+allow otapreopt_chroot system_data_root_file:dir mounton;
+allow otapreopt_chroot system_file:dir mounton;
+allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
@@ -35,7 +43,9 @@
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
+domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
+domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
# Allow otapreopt_chroot to control linkerconfig
allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
diff --git a/private/postinstall.te b/private/postinstall.te
index 363e362..7060c59 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,3 +1,5 @@
typeattribute postinstall coredomain;
-
+type postinstall_exec, system_file_type, exec_type, file_type;
domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
+
+allow postinstall rootfs:dir r_dir_perms;
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 4c4960c..0b1a032 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -4,6 +4,7 @@
# this is derived and adapted from installd.te.
type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
+type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -20,6 +21,8 @@
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt rootfs:file r_file_perms;
+
allow postinstall_dexopt tmpfs:file read;
# Allow access to /postinstall/apex.
diff --git a/private/property_contexts b/private/property_contexts
index 306b40a..6a00538 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -497,6 +497,7 @@
ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
+ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
@@ -591,7 +592,8 @@
# default contexts only accessible by coredomain
init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
-# vendor-init-readable init service props
+# Globally-readable init service props
+init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
init.svc.console u:object_r:init_service_status_prop:s0 exact string
diff --git a/private/service_contexts b/private/service_contexts
index 125b05d..e47cd6e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -41,7 +41,6 @@
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-android.system.keystore2 u:object_r:keystore_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -125,6 +124,7 @@
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
+hint u:object_r:hint_service:s0
ions u:object_r:radio_service:s0
idmap u:object_r:idmap_service:s0
incident u:object_r:incident_service:s0
@@ -178,6 +178,7 @@
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
+memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
music_recognition u:object_r:music_recognition_service:s0
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index a7fb584..8571ff6 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,5 +1,13 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and will always be tagged as a
-# postinstall_file regardless of its attributes in the new system.
+# The postinstall program is run by update_engine_common and must be tagged
+# with postinstall_exec in the new filesystem.
+# TODO Have build system attempt to verify this
+domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
+
+# Vendor directories can have the transition as well during OTA. This is caused
+# by update_engine execing scripts in vendor to perform any update tasks needed
+# there.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
+
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/public/device.te b/public/device.te
index e2dc511..16cc492 100644
--- a/public/device.te
+++ b/public/device.te
@@ -50,7 +50,7 @@
type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
-type uhid_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
diff --git a/public/domain.te b/public/domain.te
index f46ca67..0c37ee4 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -514,7 +514,6 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
-neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -1076,6 +1075,9 @@
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
+neverallow { domain -init -system_server } heapdump_data_file:file read;
+
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
new file mode 100644
index 0000000..db8dd1a
--- /dev/null
+++ b/public/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+# otapreopt_chroot seclabel
+
+# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
+type otapreopt_chroot, domain;
diff --git a/public/service.te b/public/service.te
index a69118e..0b4f8e9 100644
--- a/public/service.te
+++ b/public/service.te
@@ -124,6 +124,7 @@
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
+type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -144,6 +145,7 @@
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 79f3b4c..0f549c9 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -38,6 +38,5 @@
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
-# Suppress the denials coming from ReadDefaultFstab call.
-dontaudit uncrypt gsi_metadata_file_type:dir search;
-dontaudit uncrypt metadata_file:dir search;
+# Allow ReadDefaultFstab().
+read_fstab(uncrypt)
diff --git a/public/update_engine.te b/public/update_engine.te
index 962ca99..ab7090b 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -64,12 +64,11 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
+# Allow ReadDefaultFstab().
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device. ReadDefaultFstab() checks whether a GSI is running by checking
-# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
-# the access.
-dontaudit update_engine gsi_metadata_file_type:dir search;
+# device.
+read_fstab(update_engine)
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index dd90fbc..286ff4d 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,7 @@
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem relabelfrom;
+allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index db99b9e..25d0dcb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -263,6 +263,7 @@
get_prop(vendor_init, provisioned_prop)
get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, surfaceflinger_display_prop)
+get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 7025652..3bc3a9f 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,8 +8,9 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer gsi_metadata_file_type:dir search;
dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
+
+# Allow ReadDefaultFstab().
+read_fstab(vendor_misc_writer)
diff --git a/public/vold.te b/public/vold.te
index d1731cc..5a14c44 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -293,9 +293,8 @@
dontaudit vold self:global_capability_class_set sys_resource;
-# vold needs to know whether we're running a GSI.
-allow vold gsi_metadata_file_type:dir r_dir_perms;
-allow vold gsi_metadata_file_type:file r_file_perms;
+# Allow ReadDefaultFstab().
+read_fstab(vold)
# vold might need to search loopback apex files
allow vold vendor_apex_file:file r_file_perms;
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index ac30370..2b94313 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -9,10 +9,7 @@
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-
-# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
-# a GSI-corrected fstab.
-dontaudit hal_bootctl_default metadata_file:dir search;
+read_fstab(hal_bootctl_default)
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;