selinux rules for loading incremental module
Defining incremental file system driver module, allowing vold to load
and read it.
=== Denial messages ===
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1
02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1
Test: manual
BUG: 147371381
Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 376c0a5..feb098b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -89,6 +89,7 @@
vehicle_hal_prop
vendor_apex_file
vendor_boringssl_self_test
+ vendor_incremental_module
vendor_install_recovery
vendor_install_recovery_exec
virtual_ab_prop))
diff --git a/private/file_contexts b/private/file_contexts
index 0a0d3c9..62fbed3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -372,6 +372,7 @@
/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko u:object_r:vendor_incremental_module:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 0ecc280..f2af7b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1004,6 +1004,7 @@
-vendor_overlay_file
-vendor_public_lib_file
-vendor_task_profiles_file
+ -vendor_incremental_module
-vndk_sp_file
}:file *;
')
diff --git a/public/file.te b/public/file.te
index 4ede12d..3c3d1bc 100644
--- a/public/file.te
+++ b/public/file.te
@@ -210,6 +210,8 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
+# Default type for incremental file system driver
+type vendor_incremental_module, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/public/vold.te b/public/vold.te
index 0ffa119..e8beff5 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -52,6 +52,11 @@
FS_IOC_REMOVE_ENCRYPTION_KEY
};
+# Allow to load incremental file system driver
+allow vold self:capability sys_module;
+allow vold vendor_incremental_module:file r_file_perms;
+allow vold vendor_incremental_module:system module_load;
+
# Only vold and init should ever set file-based encryption policies.
neverallowxperm {
domain