Policy for overlay_remounter
Note - type definitions moved outside the userdebug_or_eng macro to
avoid breaking user builds. User build (lynx-trunk_staging-user) built
and flashed to avoid a repeat of b/392686305
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 388912628
Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10
diff --git a/private/incident.te b/private/incident.te
index db9ae86..19db7d7 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -34,4 +34,14 @@
allow incident incidentd:fifo_file write;
# only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
+neverallow {
+ domain
+ -su
+ -shell
+ -incident
+ -dumpstate
+ userdebug_or_eng(`-overlay_remounter')
+} incident_exec:file {
+ execute
+ execute_no_trans
+};