From c1341de4c3f63dcd7ec9adf15e6f6c0d6e0d1fa8 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Wed, 3 Apr 2024 15:14:36 -0700 Subject: [PATCH] Add necessary sepolicy for ro.vendor.persist.status This prop will be set to "mounted" after /mnt/vendor/persist mounts. Need this prop to synchronize different actions in init.rc script. Test: th Bug: 319335586 Change-Id: I9e8bd5e875956393d610b7def6be713565543d05 --- legacy/whitechapel_pro/property.te | 1 + vendor/property_contexts | 3 +++ vendor/tee.te | 5 +++++ vendor/vendor_init.te | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index a62eef67..7fe48175 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -6,6 +6,7 @@ vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_ro_sys_default_prop) vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_persist_prop) # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index 463772e1..9da4b44b 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -28,3 +28,6 @@ ro.vendor.primarydisplay.xrr.version u:object_r:vendor ro.vendor.primarydisplay.blocking_zone.min_refresh_rate_by_nits u:object_r:vendor_display_prop:s0 exact string ro.vendor.primarydisplay.vrr.expected_present.headsup_ns u:object_r:vendor_display_prop:s0 exact int ro.vendor.primarydisplay.vrr.expected_present.timeout_ns u:object_r:vendor_display_prop:s0 exact int + +# For checking if persist partition is mounted +ro.vendor.persist.status u:object_r:vendor_persist_prop:s0 exact string diff --git a/vendor/tee.te b/vendor/tee.te index c99a02d9..ad16959b 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -10,6 +10,11 @@ allow tee tee_data_file:lnk_file r_file_perms; allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee block_device:dir search; + +# /mnt/vendor/persist/ss/0 sometimes gets labeled as persist_ss_file, +# depending on the order of restorecon (b/336314247) +allow tee persist_ss_file:lnk_file read; + # Allow storageproxyd access to gsi_public_metadata_file read_fstab(tee) diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 399626ca..77d3da1c 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -34,3 +34,7 @@ set_prop(vendor_init, vendor_ssrdump_prop) # MM allow vendor_init proc_watermark_scale_factor:file w_file_perms; + +# Allow vendor_init to read ro.vendor.persist.status +# to process init.rc actions +set_prop(vendor_init, vendor_persist_prop)