domain_deprecated: remove rootfs access
Grant audited permissions collected in logs.
tcontext=platform_app
avc: granted { getattr } for comm=496E666C6174657254687265616420
path="/" dev="dm-0" ino=2 scontext=u:r:platform_app:s0:c512,c768
tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=system_app
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
avc: granted { getattr } for comm="android:ui" path="/" dev="dm-0"
scontext=u:r:system_app:s0 tcontext=u:object_r:rootfs:s0 tclass=dir
tcontext=update_engine
avc: granted { getattr } for comm="update_engine" path="/" dev="dm-0"
ino=2 scontext=u:r:update_engine:s0 tcontext=u:object_r:rootfs:s0
tclass=dir
avc: granted { getattr } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
avc: granted { read open } for comm="update_engine" path="/fstab.foo"
dev="dm-0" ino=25 scontext=u:r:update_engine:s0
tcontext=u:object_r:rootfs:s0 tclass=file
Bug: 28760354
Test: build
Change-Id: I6135eea1d10b903a4a7e69da468097f495484665
diff --git a/private/platform_app.te b/private/platform_app.te
index 42534bd..047cca4 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -38,6 +38,9 @@
allow platform_app vfat:dir create_dir_perms;
allow platform_app vfat:file create_file_perms;
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
diff --git a/private/system_app.te b/private/system_app.te
index 606c4a0..80afcb9 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -11,6 +11,9 @@
net_domain(system_app)
binder_service(system_app)
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
# Read and write /data/data subdirectory.
allow system_app system_app_data_file:dir create_dir_perms;
allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index fb0284f..775bb1e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -13,6 +13,10 @@
# requires it.
allow update_engine_common misc_block_device:blk_file rw_file_perms;
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
# Allow update_engine_common to mount on the /postinstall directory and reset the
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir mounton;
