From 9b9bee2c1a7846471bf03aefd91f516582be7e50 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Mon, 9 Sep 2024 10:31:14 +0800 Subject: [PATCH] Storage: add sepolicy for recovery mode avc: denied { search } for pid=286 comm="fsck.f2fs" name="0:0:0:0" dev="sysfs" ino=100643 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=286 comm="fsck.f2fs" path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/sda10/partition" dev="sysfs" ino=102318 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for pid=286 comm="fsck.f2fs" name="zoned" dev="sysfs" ino=101014 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for pid=286 comm="fsck.f2fs" path="/sys/devices/platform/3c400000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/zoned" dev="sysfs" ino=101014 scontext=u:r:recovery:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { read } for pid=340 comm="fsck.f2fs" name="sda1" dev="tmpfs" ino=1060 scontext=u:r:fsck:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=0 avc: denied { read write } for pid=340 comm="fsck.f2fs" name="sda1" dev="tmpfs" ino=1060 scontext=u:r:fsck:s0 tcontext=u:object_r:persist_block_device:s0 tclass=blk_file permissive=0 Bug: 361093433 Test: factory data reset Change-Id: Idce44f75e8ef6f3e381fcdaa8c29831747ee0ecd Signed-off-by: Randall Huang --- storage/sepolicy/fsck.te | 1 + storage/sepolicy/recovery.te | 6 ++++++ 2 files changed, 7 insertions(+) create mode 100644 storage/sepolicy/recovery.te diff --git a/storage/sepolicy/fsck.te b/storage/sepolicy/fsck.te index 7369bb4..6502995 100644 --- a/storage/sepolicy/fsck.te +++ b/storage/sepolicy/fsck.te @@ -4,4 +4,5 @@ allow fsck efs_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; allow fsck sysfs_scsi_devices_0000:file r_file_perms; +allow fsck persist_block_device:blk_file rw_file_perms; diff --git a/storage/sepolicy/recovery.te b/storage/sepolicy/recovery.te new file mode 100644 index 0000000..7b34bb8 --- /dev/null +++ b/storage/sepolicy/recovery.te @@ -0,0 +1,6 @@ +# factory data reset +recovery_only(` + allow recovery sysfs_scsi_devices_0000:file r_file_perms; + allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; +') +