mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-17 03:44:45 -05:00
b6575a362e
Signed-off-by: Tad <tad@spotco.us>
53 lines
2.8 KiB
Diff
53 lines
2.8 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
|
Date: Sun, 13 Aug 2017 20:51:06 +0200
|
|
Subject: [PATCH] Tuna: Sepolicy: Label metadata partition
|
|
|
|
* Label metadata partition to allow vold
|
|
accessing it for decryption.
|
|
|
|
* Wihtout this patchs:
|
|
avc: denied { read write } for pid=166 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
|
avc: denied { read write } for pid=145 comm="vold" name="mmcblk0p13" dev=tmpfs ino=4564 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file permissive=0
|
|
who cannot be allowed due to never allow
|
|
into system wide policies.
|
|
|
|
Change-Id: I577794a7298fcd105392699466661a7bd85a6218
|
|
---
|
|
sepolicy/file_contexts | 2 ++
|
|
sepolicy/vold.te | 1 +
|
|
2 files changed, 3 insertions(+)
|
|
|
|
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
|
|
index 30159d4..42a58d1 100644
|
|
--- a/sepolicy/file_contexts
|
|
+++ b/sepolicy/file_contexts
|
|
@@ -49,11 +49,13 @@
|
|
# Block devices
|
|
/dev/block/mmcblk0 u:object_r:root_block_device:s0
|
|
/dev/block/mmcblk0p9 u:object_r:radio_device:s0
|
|
+/dev/block/mmcblk0p13 u:object_r:metadata_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/boot u:object_r:boot_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/recovery u:object_r:recovery_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/cache u:object_r:cache_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/system u:object_r:system_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/userdata u:object_r:userdata_block_device:s0
|
|
+/dev/block/platform/omap/omap_hsmmc.0/by-name/metadata u:object_r:metadata_block_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/param u:object_r:radio_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/radio u:object_r:radio_device:s0
|
|
/dev/block/platform/omap/omap_hsmmc.0/by-name/dgs u:object_r:tee_block_device:s0
|
|
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
|
|
index 9ba8469..313104b 100644
|
|
--- a/sepolicy/vold.te
|
|
+++ b/sepolicy/vold.te
|
|
@@ -1,5 +1,6 @@
|
|
# vold
|
|
allow vold efs_file:dir { getattr read open ioctl };
|
|
+allow vold metadata_block_device:blk_file { read write };
|
|
|
|
# For 'aes-*' module requests.
|
|
allow vold kernel:system module_request;
|