Policy for overlay_remounter
Note - type definitions moved outside the userdebug_or_eng macro to
avoid breaking user builds. User build (lynx-trunk_staging-user) built
and flashed to avoid a repeat of b/392686305
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 388912628
Change-Id: Ice404a0b798a4dcbfcafb10d5b114807b21dca10
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 259c402..95bdd1c 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -115,8 +115,16 @@
r_dir_file(virtualizationmanager, vendor_microdroid_file)
# Do not allow writing vendor_microdroid_file from any process.
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+neverallow {
+ domain
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:dir no_w_dir_perms;
+neverallow {
+ domain
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
+ userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:file no_w_file_perms;
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);