selinux rules for loading incremental module Defining incremental file system driver module, allowing vold to load and read it. === Denial messages === 02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:507): avc: denied { read } for name="incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1 02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:508): avc: denied { open } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=file permissive=1 02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:509): avc: denied { sys_module } for capability=16 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=1 02-04 16:48:29.193 595 595 I Binder:595_4: type=1400 audit(0.0:510): avc: denied { module_load } for path="/vendor/lib/modules/incrementalfs.ko" dev="dm-2" ino=1684 scontext=u:r:vold:s0 tcontext=u:object_r:vendor_incremental_module:s0 tclass=system permissive=1 Test: manual BUG: 147371381 Change-Id: I5bf4e28c28736b4332e7a81c344ce97ac7278ffb

commit: 99d9374760985e872b786d86013a8490dc6fcccf [log] [tgz]
author: Songchun Fan <schfan@google.com> Tue Feb 04 13:53:39 2020 -0800
committer: Songchun Fan <schfan@google.com> Fri Feb 07 09:52:34 2020 -0800
tree: e9f2e037b94fc3f99a29efac5a0f06802a962a5c
parent: 28d5e87d39b7a77b51e41c1d2ed61ceeb49501bc [diff]
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 376c0a5..feb098b 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -89,6 +89,7 @@
     vehicle_hal_prop
     vendor_apex_file
     vendor_boringssl_self_test
+    vendor_incremental_module
     vendor_install_recovery
     vendor_install_recovery_exec
     virtual_ab_prop))

diff --git a/private/file_contexts b/private/file_contexts
index 0a0d3c9..62fbed3 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -372,6 +372,7 @@
 /(vendor|system/vendor)/apex(/[^/]+){0,2}                      u:object_r:vendor_apex_file:s0
 /(vendor|system/vendor)/bin/misc_writer                        u:object_r:vendor_misc_writer_exec:s0
 /(vendor|system/vendor)/bin/boringssl_self_test(32|64)         u:object_r:vendor_boringssl_self_test_exec:s0
+(/vendor|system/vendor)/lib(64)?/modules/incrementalfs\.ko     u:object_r:vendor_incremental_module:s0
 
 # HAL location
 /(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
commit	99d9374760985e872b786d86013a8490dc6fcccf	[log] [tgz]
author	Songchun Fan <schfan@google.com>	Tue Feb 04 13:53:39 2020 -0800
committer	Songchun Fan <schfan@google.com>	Fri Feb 07 09:52:34 2020 -0800
tree	e9f2e037b94fc3f99a29efac5a0f06802a962a5c
parent	28d5e87d39b7a77b51e41c1d2ed61ceeb49501bc [diff]