RESTRICT AUTOMERGE Revert "Move mtectrl to private"
Revert submission 1959735
Reason for revert: b/220807329
Reverted Changes:
Idb5c4a4c6:Move mtectrl to private
I2e8419366:Add policy for command line tool to control MTE bo...
Change-Id: I663113df93fe9fec597ad346a1d07888b068c20e
diff --git a/public/domain.te b/public/domain.te
index 9d0c46d..5c7c18c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -610,6 +610,26 @@
-update_engine
} system_block_device:blk_file { write append };
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -fastbootd
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vendor_misc_writer
+ -vold
+ -recovery
+ -ueventd
+ -mtectrl
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
# The service managers are only allowed to access their own device node
diff --git a/public/mtectrl.te b/public/mtectrl.te
new file mode 100644
index 0000000..2fb8a96
--- /dev/null
+++ b/public/mtectrl.te
@@ -0,0 +1 @@
+type mtectrl, domain, coredomain;