remount: allow bootanimation to run animation from oem
Grant bootanimation all read permissions on oem using
r_dir_file macro instead of specifying individual permissions.
This prevents failure to read the bootanimation on oem if
partition has been remounted.
After remount, bootanimation will log violation for the
/oem/media directory when reading an existing file (boot animation can
is still played).
avc: denied { read } for pid=2820 comm="bootanimation" name="media"
dev="sda75" ino=152 scontext=u:r:bootanim:s0
tcontext=u:object_r:oemfs:s0 tclass=dir permissive=0
After remount, if modifying/adding file in /oem/media directory,
bootanimation will fail to read the bootanimation zip, now with
violation:
avc: denied { read } for pid=2838 comm="bootanimation" name="media"
dev="dm-8" ino=70 scontext=u:r:bootanim:s0 tcontext=u:object_r:oemfs:s0
tclass=dir permissive=0
Bug: 324437684
Test: adb remount
replace /oem/media/bootanimation.zip with custom animation
adb reboot
confirm that expected bootanimation is played
confirm no selinux violations are seen in logcat
Change-Id: Iaafdeeacaf88d8f5c1214700edc8eec2824b0159
diff --git a/public/bootanim.te b/public/bootanim.te
index 9c7a0ee..a9616b7 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -17,8 +17,7 @@
allow bootanim sysfs_gpu:file r_file_perms;
# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
+r_dir_file(bootanim, oemfs);
allow bootanim audio_device:dir r_dir_perms;
allow bootanim audio_device:chr_file rw_file_perms;