commit 7a2630ad4af7247e8b2a7860432b14f9b2d1f829
author Paul Lawrence <paullawrence@google.com> Tue Feb 04 06:55:19 2025 -0800
committer Paul Lawrence <paullawrence@google.com> Tue Feb 04 07:19:36 2025 -0800
tree 159e830a212663ad24ce8650d9acb090a2416932
parent d5d44497be90a01148627e934c015fffafcc972e

Allow overlayfs to overwrite deleted files

Overlayfs creates a chr_file to white out (mark as deleted) a file or
directory on the lower fs. That works fine with existing policy, but if
that file is later overwritten the chr_file must be deleted. The
chr_file is created as an overlayfs_file, so the first part works, but
once it is moved in place it takes the type of the original file.

Thus we must allow overlayfs to unlink chr_files of system etc type

Bug: 394290609
Test: Run below commands after remounting:

adb shell mv /etc/permissions/privapp-permissions-google.xml /etc/permissions/privapp-permissions-google.xml_tmp
adb shell mv /etc/permissions/privapp-permissions-google.xml_tmp /etc/permissions/privapp-permissions-google.xml

Change-Id: Id0e2a9cef861ef4fbda0a1fca7a486ac019b3d20

private/overlay_remounter.te

diff --git a/private/overlay_remounter.te b/private/overlay_remounter.te
index 766ed68..12f7b0d 100644
--- a/private/overlay_remounter.te
+++ b/private/overlay_remounter.te
@@ -36,5 +36,12 @@
     vendor_file_type
     system_file_type
     adb_keys_file
+  }:chr_file unlink;
+
+  allow overlay_remounter {
+    system_dlkm_file_type
+    vendor_file_type
+    system_file_type
+    adb_keys_file
   }:{ dir lnk_file } *;
 ')