mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-18 02:47:17 -05:00
38 lines
2.0 KiB
Diff
38 lines
2.0 KiB
Diff
From b9219da6cc3efc4cce9ef39a2d570990fd68cf11 Mon Sep 17 00:00:00 2001
|
|
From: nailyk-fr <nailyk_git@nailyk.fr>
|
|
Date: Sun, 13 Aug 2017 20:31:53 +0200
|
|
Subject: [PATCH] Tuna: Sepolicy: Add tee-fs permissions
|
|
|
|
* Tee-fs-setup is launched as recovery context.
|
|
* Those rules are needed because of toybox android
|
|
move.
|
|
* This is mandatory for encryption as this script
|
|
init /tee then start TEE services.
|
|
|
|
* Denials details:
|
|
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/sh" dev=mmcblk0p10 ino=385 scontext=u:r:recovery:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=1
|
|
avc: denied { getattr } for pid=128 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
|
avc: denied { execute } for pid=128 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
|
avc: denied { read open } for pid=131 comm="tee-fs-setup.sh" name="toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
|
avc: denied { execute_no_trans } for pid=131 comm="tee-fs-setup.sh" path="/system/bin/toybox" dev=mmcblk0p10 ino=428 scontext=u:r:recovery:s0 tcontext=u:object_r:toolbox_exec:s0 tclass=file permissive=1
|
|
|
|
Change-Id: I559f15713c7893b97c7e33f421ff19d606814fb1
|
|
---
|
|
sepolicy/recovery.te | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te
|
|
index 0d30c0d7..f1047b45 100644
|
|
--- a/sepolicy/recovery.te
|
|
+++ b/sepolicy/recovery.te
|
|
@@ -43,6 +43,9 @@ allow recovery powerctl_prop:property_service set;
|
|
|
|
# For decryption
|
|
allow recovery tee_device:chr_file { ioctl open read write };
|
|
+allow recovery shell_exec:file getattr;
|
|
+allow recovery toolbox_exec:file { execute execute_no_trans getattr open read };
|
|
+
|
|
#============= healthd ==============
|
|
allow healthd device:dir write;
|
|
|