Google Git
Sign in
android / device / intel / minnowboard / 3785d148afc31fbcb5c41be0a5245c130c720581^! / .
commit3785d148afc31fbcb5c41be0a5245c130c720581[log] [tgz]
authorMihai Serban <mihai.serban@intel.com>Mon Feb 22 18:04:02 2016 +0200
committerBruce J Beare <bruce.j.beare@intel.com>Wed Feb 24 19:52:39 2016 +0000
treee33b2b7fe5a02022bedba7231247a80512474a59
parent5e43112fa1597386e9f8ef393b4507a25895546e [diff]
selinux: fix userfastboot image in enforcing mode

Userfastboot needs to use the loop device to mount and verify the
bootloader image before flashing.
Allow interactive console to start on eng and userdebug builds for
debugging purposes.
Allow userfastboot and dhcp to be started from init domain. The first
is our fastboot implementation and the second is required for obtaining
an IP over Ethernet on Minnowboard.

BUG=none
Change-Id: I4b19aac1f57c5723cbd36f82c8637766aa12a629
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
Signed-off-by: Stefan Stanacar <stefan.stanacar@intel.com>

diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..91679cb
--- /dev/null
+++ b/sepolicy/file.te

@@ -0,0 +1 @@
+type efivarfs, fs_type;

diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..2e6490e
--- /dev/null
+++ b/sepolicy/genfs_contexts

@@ -0,0 +1 @@
+genfscon efivarfs       /   u:object_r:efivarfs:s0

diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..b8bae16
--- /dev/null
+++ b/sepolicy/init.te

@@ -0,0 +1,11 @@
+userfastboot_only(`
+  domain_trans(init, rootfs, userfastboot)
+  domain_trans(init, rootfs, dhcp)
+
+  userdebug_or_eng(`
+    # Used for the serial console, shell label set by the console service
+    # definition from init.rc with:
+    # seclabel u:r:shell:s0
+    domain_trans(init, rootfs, shell)
+  ')
+')

diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..f0910c6
--- /dev/null
+++ b/sepolicy/kernel.te

@@ -0,0 +1,5 @@
+userfastboot_only(`
+  # This is the loop back fd used by userfastboot to mount and verify the
+  # bootloader image
+  allow kernel userfastboot:fd use;
+')

diff --git a/sepolicy/userfastboot.te b/sepolicy/userfastboot.te
index 1333172..623a262 100644
--- a/sepolicy/userfastboot.te
+++ b/sepolicy/userfastboot.te

@@ -32,4 +32,6 @@
   dontaudit userfastboot domain:peer recv;
   dontaudit userfastboot domain:binder *;
   dontaudit userfastboot property_type:property_service set;
+  dontaudit userfastboot efivarfs:dir search;
+  dontaudit userfastboot efivarfs:file rw_file_perms;
 ')