diff options
author | John Stultz <jstultz@google.com> | 2022-04-14 23:17:14 +0000 |
---|---|---|
committer | John Stultz <jstultz@google.com> | 2022-04-14 23:26:30 +0000 |
commit | a58e74ea0635d7547df58aec669fe45b56504df7 (patch) | |
tree | 0e428a1b9fa1df1d6e34c879972a554cac9f8efc /sepolicy | |
parent | 8c86e3763675f99cd63c6e30d2a951160ac456d8 (diff) |
dragonboard: sepolicy: Add sepolicy rules to fix problems seen adb remount overlays
When using adb remount/adb sync, I noticed some new sepolicy
failures that prevented some things from working.
For instance, if I did adb remount right after flashing a
device, on the next bootup I found that wifi would fail to work.
This was due to sepolicy failures caused by the file accesses
being on the overlayfs.
Similarly, when testing a new version of mesa via adb sync, I
found surfaceflinger would fail to start, again due to new
sepolicy failures
These sepolicy changes were suggested by audit2allow to fix
the problems, and indeed I now have display and wifi working
after adb remount/sync updates.
Signed-off-by: John Stultz <jstultz@google.com>
Change-Id: Ifd819cf34939d1e61b67d8b08c67ec9a2fadd110
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/kernel.te | 6 | ||||
-rw-r--r-- | sepolicy/surfaceflinger.te | 1 | ||||
-rw-r--r-- | sepolicy/system_server.te | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index 3fad122..176d6f6 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -2,6 +2,10 @@ allow kernel device:chr_file { create setattr }; allow kernel device:dir { add_name create write }; allow kernel self:capability mknod; -allow kernel vendor_file:file { open read }; +allow kernel vendor_file:file { open read getattr}; +allow kernel vendor_file:dir read; allow kernel self:system module_request; allow vendor_init kernel:system module_request; +allow kernel sepolicy_file:file getattr; +allow kernel system_bootstrap_lib_file:dir getattr; +allow kernel system_bootstrap_lib_file:file getattr; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index 17b66a8..9bffa3f 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1 +1,2 @@ gpu_access(surfaceflinger) +allow surfaceflinger vendor_file:dir read; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 80957cc..e801436 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1 +1,3 @@ gpu_access(system_server) +allow system_server wifi_hal_prop:file {open read getattr map}; +allow system_server vendor_file:dir read; |