fs_mgr: overlayfs support legacy devices (marlin) Part Deux
On legacy devices system_<other> partition is blocked from
becoming the backing store under certain circumstances.
Test: system/core/fs_mgr/tests/adb-remount-test.sh
Bug: 120448575
Bug: 123079041
Change-Id: I1803f072ca21bc116554eee1d01a1dbd2c9ed0c9
diff --git a/public/domain.te b/public/domain.te
index d3fac70..2621d81 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -608,6 +608,8 @@
neverallow {
domain
-fastbootd
+ userdebug_or_eng(`-fsck')
+ userdebug_or_eng(`-init')
-recovery
-update_engine
} system_block_device:blk_file { write append };
diff --git a/public/fsck.te b/public/fsck.te
index dbbe34c..7a9fbee 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -18,6 +18,9 @@
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
+userdebug_or_eng(`
+allow fsck system_block_device:blk_file rw_file_perms;
+')
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
@@ -55,6 +58,7 @@
root_block_device
swap_block_device
system_block_device
+ userdebug_or_eng(`-system_block_device')
vold_device
}:blk_file no_rw_file_perms;
diff --git a/public/init.te b/public/init.te
index 02302b2..7f5b3fc 100644
--- a/public/init.te
+++ b/public/init.te
@@ -317,6 +317,8 @@
userdebug_or_eng(`
# Overlayfs workdir write access check during mount to permit remount,rw
allow init overlayfs_file:dir { relabelfrom mounton write };
+ allow init overlayfs_file:file { append };
+ allow init system_block_device:blk_file { write };
')
allow init {
