Policy for overlay_remounter Note - type definitions moved outside the userdebug_or_eng macro to avoid breaking user builds. User build (lynx-trunk_staging-user) built and flashed to avoid a repeat of b/392686305 Test: system/core/fs_mgr/tests/adb-remount-test.sh Bug: 388912628 Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10

commit: 840b607104c13e51e99edc991cf70cc4a033ea7f [log] [tgz]
author: Paul Lawrence <paullawrence@google.com> Tue Jan 28 07:41:05 2025 -0800
committer: Paul Lawrence <paullawrence@google.com> Tue Jan 28 07:44:41 2025 -0800
tree: 0d10cc7b0a910a9d79b5727177fd14f5c9ae8d86
parent: 86fb1ca1a4aa8798f236c7014d49846b8d8a5fed [diff] [blame]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 4fe3843..7d8a706 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -54,7 +54,7 @@
 neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
 neverallow { domain -bpfloader } fs_bpf_loader:file *;
 
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
+neverallow { domain -bpfloader -init userdebug_or_eng(`-overlay_remounter') } bpfloader_exec:file { execute execute_no_trans };
 
 neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
commit	840b607104c13e51e99edc991cf70cc4a033ea7f	[log] [tgz]
author	Paul Lawrence <paullawrence@google.com>	Tue Jan 28 07:41:05 2025 -0800
committer	Paul Lawrence <paullawrence@google.com>	Tue Jan 28 07:44:41 2025 -0800
tree	0d10cc7b0a910a9d79b5727177fd14f5c9ae8d86
parent	86fb1ca1a4aa8798f236c7014d49846b8d8a5fed [diff] [blame]