Allow the init and apexd processes to read all block device properties Addressing b/194450129 requires configuring the I/O scheduler and the queue depth of loop devices. Doing this in a generic way requires iterating over the block devices under /sys/class/block and also to examine the properties of the boot device (/dev/sda). Hence this patch that allows 'init' and 'apexd' to read the properties of all block devices. The patch that configures the queue depth is available at https://android-review.googlesource.com/c/platform/system/core/+/1783847. Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints. Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e Signed-off-by: Bart Van Assche <bvanassche@google.com>

commit: ec50aa5180893b1c4ac4773f1362b0b36e890fb6 [log] [tgz]
author: Bart Van Assche <bvanassche@google.com> Fri Aug 06 10:50:25 2021 -0700
committer: Bart Van Assche <bvanassche@google.com> Mon Aug 09 13:46:41 2021 -0700
tree: ec53a0f4a06b3b2229750c06d6d62f0512df4631
parent: 996da475a1e112ec363c7540a585a8a1bad646d0 [diff] [blame]
diff --git a/private/init.te b/private/init.te
index b7b3f38..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te

@@ -42,6 +42,12 @@
 allow init sysfs_loop:dir r_dir_perms;
 allow init sysfs_loop:file rw_file_perms;
 
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
 # Allow init to write to the drop_caches file.
 allow init proc_drop_caches:file rw_file_perms;
commit	ec50aa5180893b1c4ac4773f1362b0b36e890fb6	[log] [tgz]
author	Bart Van Assche <bvanassche@google.com>	Fri Aug 06 10:50:25 2021 -0700
committer	Bart Van Assche <bvanassche@google.com>	Mon Aug 09 13:46:41 2021 -0700
tree	ec53a0f4a06b3b2229750c06d6d62f0512df4631
parent	996da475a1e112ec363c7540a585a8a1bad646d0 [diff] [blame]