Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / d7c3bf781e89a899dce9c81173300cebe35c3f0f^1..d7c3bf781e89a899dce9c81173300cebe35c3f0f / .
commitd7c3bf781e89a899dce9c81173300cebe35c3f0f[log] [tgz]
authorSteven Moreland <smoreland@google.com>Thu Feb 22 19:16:46 2024 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Thu Feb 22 19:16:46 2024 +0000
tree4c129d89dbd6632d052f1e000ecc8a47c536896d
parentd02b0526246c938b8e1539e010533b0bb639082e [diff]
parentb4f42d449b803df11b9f62e9968fce25096ecd5b [diff]
intro misctrl am: b4f42d449b

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2966593

Change-Id: Ie652cf5516fe3c1042931bb07162f39996180e66
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index e002b15..c799171 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test

@@ -405,6 +405,7 @@
 /system/bin/lpdumpd                                               lpdumpd_exec
 /system/bin/rss_hwm_reset                                         rss_hwm_reset_exec
 /system/bin/perfetto                                              perfetto_exec
+/system/bin/misctrl                                               misctrl_exec
 /system/bin/mtectrl                                               mtectrl_exec
 /system/bin/traced                                                traced_exec
 /system/bin/traced_perf                                           traced_perf_exec

diff --git a/private/domain.te b/private/domain.te
index 3454fd1..59e30c8 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -226,6 +226,7 @@
   -recovery
   -ueventd
   -mtectrl
+  -misctrl
 } misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes

diff --git a/private/file_contexts b/private/file_contexts
index 5e234f7..b9d661a 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -332,6 +332,7 @@
 /system/bin/rss_hwm_reset	u:object_r:rss_hwm_reset_exec:s0
 /system/bin/perfetto        u:object_r:perfetto_exec:s0
 /system/bin/mtectrl         u:object_r:mtectrl_exec:s0
+/system/bin/misctrl         u:object_r:misctrl_exec:s0
 /system/bin/traced        u:object_r:traced_exec:s0
 /system/bin/traced_perf        u:object_r:traced_perf_exec:s0
 /system/bin/traced_probes        u:object_r:traced_probes_exec:s0

diff --git a/private/misctrl.te b/private/misctrl.te
new file mode 100644
index 0000000..c570aa4
--- /dev/null
+++ b/private/misctrl.te

@@ -0,0 +1,15 @@
+# binary for generic misc partition management
+type misctrl, domain, coredomain;
+type misctrl_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(misctrl)
+
+allow misctrl misc_block_device:blk_file rw_file_perms;
+allow misctrl block_device:dir r_dir_perms;
+read_fstab(misctrl)
+
+# bootloader_message tries to find the fstab in the device config path first,
+# but because we've already booted up we can use the ro.boot properties instead,
+# so we can just ignore the SELinux denial.
+dontaudit misctrl sysfs_dt_firmware_android:dir search;
+dontaudit misctrl vendor_property_type:file read;