Policy for overlay_remounter Note - type definitions moved outside the userdebug_or_eng macro to avoid breaking user builds. User build (lynx-trunk_staging-user) built and flashed to avoid a repeat of b/392686305 Test: system/core/fs_mgr/tests/adb-remount-test.sh Bug: 388912628 Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10

commit: 840b607104c13e51e99edc991cf70cc4a033ea7f [log] [tgz]
author: Paul Lawrence <paullawrence@google.com> Tue Jan 28 07:41:05 2025 -0800
committer: Paul Lawrence <paullawrence@google.com> Tue Jan 28 07:44:41 2025 -0800
tree: 0d10cc7b0a910a9d79b5727177fd14f5c9ae8d86
parent: 86fb1ca1a4aa8798f236c7014d49846b8d8a5fed [diff] [blame]
diff --git a/private/init.te b/private/init.te
index 35d7647..6f0ee80 100644
--- a/private/init.te
+++ b/private/init.te

@@ -814,7 +814,7 @@
 # The init domain is only entered via an exec based transition from the
 # kernel domain, never via setcon().
 neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
+neverallow { domain -kernel userdebug_or_eng(`-overlay_remounter') } init:process transition;
 neverallow init { file_type fs_type -init_exec }:file entrypoint;
 
 # Never read/follow symlinks created by shell or untrusted apps.
commit	840b607104c13e51e99edc991cf70cc4a033ea7f	[log] [tgz]
author	Paul Lawrence <paullawrence@google.com>	Tue Jan 28 07:41:05 2025 -0800
committer	Paul Lawrence <paullawrence@google.com>	Tue Jan 28 07:44:41 2025 -0800
tree	0d10cc7b0a910a9d79b5727177fd14f5c9ae8d86
parent	86fb1ca1a4aa8798f236c7014d49846b8d8a5fed [diff] [blame]