Support reading block apexes from system_server
This relaxes the neverallow so that it is possible to write a new
SELinux allow for system_server to read /dev/block/vd*. It still isn't
possible unless a vendor enables it.
Bug: 196965847
Test: m -j
local_test_runner arc.Boot.vm
Change-Id: Idad79284778cf02066ff0b982480082828f24e19
diff --git a/private/system_server.te b/private/system_server.te
index 5b67b70..68792e8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1250,10 +1250,13 @@
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
neverallow system_server data_file_type:file no_x_file_perms;
-# The only block device system_server should be accessing is
+# The only block device system_server should be writing to is
# the frp_block_device. This helps avoid a system_server to root
# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+# The system_server may need to read from vd_device if it uses
+# block apexes.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_w_file_perms;
+neverallow system_server { dev_type -frp_block_device -vd_device }:blk_file r_file_perms;
# system_server should never use JIT functionality
# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
