Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / b62be121760dba20484160dc677c5bd6277c9ba8^! / .
commitb62be121760dba20484160dc677c5bd6277c9ba8[log] [tgz]
authorJooyung Han <jooyung@google.com>Mon Apr 12 21:44:43 2021 +0900
committerJooyung Han <jooyung@google.com>Tue Apr 13 15:46:16 2021 +0900
tree5062ad2ad23f4f635d7c46a65ac1be1de0c0f323
parent4ea9b0b9df74a35f80ba5241ec0943b623214eca [diff]
Allow apexd to access a new dev_type: virtual disk

In microdroid, apexd activates apexes which are passed as a virtual disk
to share apexes with host Android.

Bug: 184605708
Test: apexd running in microdroid can read /dev/block/vdb2
  when a disk image is passed to crosvm via --disk= option.
Change-Id: Ie27774868a0e0befb4c42cff795d1531b042654c

diff --git a/private/apexd.te b/private/apexd.te
index b94970b..862bab9 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -52,6 +52,9 @@
 # allow apexd to access /dev/block
 allow apexd block_device:dir r_dir_perms;
 
+#allow apexd to access virtual disks
+allow apexd vd_device:blk_file r_file_perms;
+
 # allow apexd to access /dev/block/dm-* (device-mapper entries)
 allow apexd dm_device:chr_file rw_file_perms;
 allow apexd dm_device:blk_file rw_file_perms;

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index e5681de..a115831 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -126,6 +126,7 @@
     userdata_sysdev
     userspace_reboot_metadata_file
     vcn_management_service
+    vd_device
     vendor_kernel_modules
     vibrator_manager_service
     virtualization_service

diff --git a/private/file_contexts b/private/file_contexts
index 3786147..3a8642d 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -88,6 +88,7 @@
 /dev/block(/.*)?	u:object_r:block_device:s0
 /dev/block/dm-[0-9]+	u:object_r:dm_device:s0
 /dev/block/loop[0-9]*	u:object_r:loop_device:s0
+/dev/block/vd[a-z][0-9]*  u:object_r:vd_device:s0
 /dev/block/vold/.+	u:object_r:vold_device:s0
 /dev/block/ram[0-9]*	u:object_r:ram_device:s0
 /dev/block/zram[0-9]*	u:object_r:ram_device:s0

diff --git a/private/init.te b/private/init.te
index 2627add..13d4900 100644
--- a/private/init.te
+++ b/private/init.te

@@ -66,6 +66,10 @@
 # Allow for libsnapshot's use of flock() on /metadata/ota.
 allow init ota_metadata_file:dir lock;
 
+# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
+# /dev/block.
+allow init vd_device:blk_file relabelto;
+
 # Only init is allowed to set the sysprop indicating whether perf_event_open()
 # SELinux hooks were detected.
 set_prop(init, init_perf_lsm_hooks_prop)

diff --git a/public/device.te b/public/device.te
index 16cc492..686f955 100644
--- a/public/device.te
+++ b/public/device.te

@@ -17,6 +17,7 @@
 type radio_device, dev_type;
 type ram_device, dev_type;
 type rtc_device, dev_type;
+type vd_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type fscklogs, dev_type;