From 1711a2d5c7b85e4c33f63398210e71b4f564c781 Mon Sep 17 00:00:00 2001 From: Hridya Valsaraju Date: Fri, 30 Apr 2021 14:36:27 -0700 Subject: [PATCH] Provide fastbootd permissions to invoke the set_active command These permissions fix the following denials: [ 66.641731][ T59] audit: type=1400 audit(1619815760.952:17): avc: denied { open } for pid=360 comm="fastbootd" path="/dev/block/sdd1" dev="tmpfs" ino=416 scontext=u:r:fastbootd:s0 tcontext=u:object_r:devinfo_block_device:s0 tclass=blk_file permissive=1 [ 66.664509][ T59] audit: type=1400 audit(1619815760.952:18): avc: denied { write } for pid=360 comm="fastbootd" name="sdd1" dev="tmpfs" ino=416 scontext=u:r:fastbootd:s0 tcontext=u:object_r:devinfo_block_device:s0 tclass=blk_file permissive=1 [ 66.686431][ T59] audit: type=1400 audit(1619815760.952:19): avc: denied { read write } for pid=360 comm="fastbootd" name="boot_lun_enabled" dev="sysfs" ino=57569 scontext=u:r:fastbootd:s0 tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1 [ 66.708623][ T59] audit: type=1400 audit(1619815760.952:20): avc: denied { open } for pid=360 comm="fastbootd" path="/sys/devices/platform/14700000.ufs/pixel/boot_lun_enabled" dev="sysfs" ino=57569 scontext=u:r:fastbootd:s0 tcontext=u:object_r:sysfs_ota:s0 tclass=file permissive=1 [ 56.680861][ T59] audit: type=1400 audit(1619806507.020:10): avc: denied { read write } for pid=357 comm="fastbootd" name="sda" dev="tmpfs" ino=476 scontext=u:r:fastbootd:s0 tcontext=u:object_r:sda_block_device:s0 tclass=blk_file permissive=0 Test: fastboot set_active Bug: 185955438 Change-Id: I9339b2a5f2a00c9e1768f479fdeac2e1f27f04bc --- whitechapel/vendor/google/fastbootd.te | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 whitechapel/vendor/google/fastbootd.te diff --git a/whitechapel/vendor/google/fastbootd.te b/whitechapel/vendor/google/fastbootd.te new file mode 100644 index 00000000..c1c4de7b --- /dev/null +++ b/whitechapel/vendor/google/fastbootd.te @@ -0,0 +1,6 @@ +# Required by the bootcontrol HAL for the 'set_active' command. +recovery_only(` +allow fastbootd devinfo_block_device:blk_file rw_file_perms; +allow fastbootd sda_block_device:blk_file rw_file_perms; +allow fastbootd sysfs_ota:file rw_file_perms; +')