Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8494fbe04881a1c602b174db4046b631e71659ef^! / .
commit8494fbe04881a1c602b174db4046b631e71659ef[log] [tgz]
authorAkilesh Kailash <akailash@google.com>Thu Jul 22 08:23:45 2021 +0000
committerAkilesh Kailash <akailash@google.com>Wed Aug 04 08:40:50 2021 +0000
tree3a8ab18e693c1bcfdee32619d80c251b5077765e
parent87441ca5f9619d694dd6f1215395897ef6aa4cbc [diff]
snapuserd: Add selinux policy

Add selinux policy to allow snapuserd to search
through /dev/block/ and read /sys/block directory.

Bug: 193863442
Test: OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I656aee69f4c07ed7caeb1c3c14e44e1a25bd1ba1

diff --git a/private/snapuserd.te b/private/snapuserd.te
index 2956891..78f4d76 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te

@@ -8,6 +8,18 @@
 
 allow snapuserd kmsg_device:chr_file rw_file_perms;
 
+# Allow snapuserd to reach block devices in /dev/block.
+allow snapuserd block_device:dir search;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow snapuserd sysfs:dir { open read };
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and dynamic partitions.
+allow snapuserd sysfs_dm:dir { open read search };
+allow snapuserd sysfs_dm:file r_file_perms;
+
 # Reading and writing to /dev/block/dm-* (device-mapper) nodes.
 allow snapuserd block_device:dir r_dir_perms;
 allow snapuserd dm_device:chr_file rw_file_perms;