Fix e2fsck denials introduced by latest e2fsprogs merge.
This resulted from changes in e2fsprogs logic which traverses
/proc/mounts to warn about fixing a mounted filesystem.
Denials:
07-08 15:08:21.207 853 853 I auditd : type=1400 audit(0.0:88): avc: denied { getattr } for comm="e2fsck" path="/metadata" dev="vda12" ino=2 scontext=u:r:fsck:s0 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0
07-08 15:08:21.207 853 853 I auditd : type=1400 audit(0.0:89): avc: denied { search } for comm="e2fsck" name="/" dev="tmpfs" ino=1 scontext=u:r:fsck:s0 tcontext=u:object_r:mirror_data_file:s0 tclass=dir permissive=0
Bug: 193137337
Test: treehugger
Change-Id: Ib050463f7fa6ea453795c933ff388d3594bb7c23
diff --git a/private/domain.te b/private/domain.te
index 63e1bde..5bb4831 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -397,6 +397,7 @@
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
+ -fsck
-init
-installd
-zygote
diff --git a/public/fsck.te b/public/fsck.te
index 7a9fbee..1fb5d0d 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -14,7 +14,6 @@
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices
-allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
@@ -22,6 +21,12 @@
allow fsck system_block_device:blk_file rw_file_perms;
')
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {