SELinux policy for /dev/sys/block/by-name/rootdisk
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I550dfb5649ccb5ca61ea5abbf730bd84756f047e
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index b77c97b..d29417d 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -56,6 +56,7 @@
proc_watermark_scale_factor
remotelyprovisionedkeypool_service
resources_manager_service
+ rootdisk_sysdev
selection_toolbar_service
snapuserd_proxy_socket
supplemental_process_service
diff --git a/private/file_contexts b/private/file_contexts
index d8c6fbf..e2ffbc0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -171,6 +171,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/block/by-name/rootdisk(/.*)? u:object_r:rootdisk_sysdev:s0
/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
diff --git a/public/device.te b/public/device.te
index 686f955..4ca8a6f 100644
--- a/public/device.te
+++ b/public/device.te
@@ -121,3 +121,6 @@
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;
+
+# Root disk file for disk tunables
+type rootdisk_sysdev, dev_type;
diff --git a/public/init.te b/public/init.te
index 362c41e..d1f7d90 100644
--- a/public/init.te
+++ b/public/init.te
@@ -625,6 +625,9 @@
# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;
+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/rootdisk_sysdev.te b/public/rootdisk_sysdev.te
new file mode 100644
index 0000000..f92fd79
--- /dev/null
+++ b/public/rootdisk_sysdev.te
@@ -0,0 +1 @@
+allow rootdisk_sysdev sysfs:filesystem associate;
