Policy for overlay_remounter
Note - type definitions moved outside the userdebug_or_eng macro to
avoid breaking user builds. User build (lynx-trunk_staging-user) built
and flashed to avoid a repeat of b/392686305
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 388912628
Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10
diff --git a/private/kernel.te b/private/kernel.te
index 1b82c66..0d3aa77 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -2,6 +2,9 @@
domain_auto_trans(kernel, init_exec, init)
domain_auto_trans(kernel, snapuserd_exec, snapuserd)
+userdebug_or_eng(`
+ domain_auto_trans(kernel, overlay_remounter_exec, overlay_remounter)
+')
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
@@ -150,6 +153,15 @@
# required by VTS lidbm unit test
allow kernel appdomain_tmpfs:file { read write };
+# Allow first stage init to copy and then launch overlay_remounter
+userdebug_or_eng(`
+ allow kernel tmpfs:dir rw_dir_perms;
+ allow kernel tmpfs:file { create_file_perms relabelfrom };
+ allow kernel overlay_remounter_exec:file { relabelto unlink };
+ allow kernel overlay_remounter:process2 nosuid_transition;
+ allow kernel overlay_remounter:process share;
+')
+
dontaudit kernel metadata_file:dir search;
dontaudit kernel ota_metadata_file:dir rw_dir_perms;
dontaudit kernel sysfs:dir r_dir_perms;