commit 9fafa76effb3533425d1d37f77d2c3c0ba6aa69b
author Thiébaud Weksteen <tweek@google.com> Tue Mar 26 00:40:20 2024 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Mar 26 00:40:20 2024 +0000
tree 486e227cc735c34071ecd9c000dd4a4aa7354562
parent 0b8293a2ccabf4053748bca2647b47abed96a637
parent eb217d40bfe09779bac317338efeb8b97315c530

Merge "Add context that system server can access and perfetto can save traces to" into android14-tests-dev

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 59d9d8a..db1d709 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -197,6 +197,7 @@
   -recovery
   -ueventd
   -mtectrl
+  -misctrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
@@ -623,6 +624,7 @@
     -vendor_task_profiles_file
     -vendor_uuid_mapping_config_file
     -vndk_sp_file
+    -vendor_aconfig_storage_file
   }:file *;
 ')
 

private/file.te

diff --git a/private/file.te b/private/file.te
index 6fd11e2..1c07416 100644
--- a/private/file.te
+++ b/private/file.te
@@ -140,3 +140,6 @@
 
 # Type for /sys/devices/uprobe.
 type sysfs_uprobe, fs_type, sysfs_type;
+
+# Type for /vendor/etc/aconfig
+type vendor_aconfig_storage_file, vendor_file_type, file_type;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index a2bb16e..4659ba3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -323,6 +323,7 @@
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/mtectrl         u:object_r:mtectrl_exec:s0
+/system/bin/misctrl         u:object_r:misctrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0

private/misctrl.te

diff --git a/private/misctrl.te b/private/misctrl.te
new file mode 100644
index 0000000..c570aa4
--- /dev/null
+++ b/private/misctrl.te
@@ -0,0 +1,15 @@
+# binary for generic misc partition management
+type misctrl, domain, coredomain;
+type misctrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(misctrl)
+
+allow misctrl misc_block_device:blk_file rw_file_perms;
+allow misctrl block_device:dir r_dir_perms;
+read_fstab(misctrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit misctrl sysfs_dt_firmware_android:dir search;
+dontaudit misctrl vendor_property_type:file read;