Merge "sepolicy: Add vm block devices labeling"
diff --git a/generic/vendor/common/device.te b/generic/vendor/common/device.te
index 78d13d9..1678799 100644
--- a/generic/vendor/common/device.te
+++ b/generic/vendor/common/device.te
@@ -44,6 +44,7 @@
type vendor_modem_efs_partition_device, dev_type;
type vendor_mdtp_device, dev_type;
type vendor_persist_block_device, dev_type;
+type vendor_vm_data_block_device, dev_type;
type vendor_qsee_ipc_irq_spss_device, dev_type;
type vendor_qdsp_device, dev_type, mlstrustedobject;
type vendor_ramdump_device, dev_type;
diff --git a/generic/vendor/common/file.te b/generic/vendor/common/file.te
index b694210..d011229 100644
--- a/generic/vendor/common/file.te
+++ b/generic/vendor/common/file.te
@@ -166,6 +166,9 @@
type adsprpcd_file, file_type, mlstrustedobject, vendor_file_type;
+# vm system files
+type vendor_vm_system_file, file_type, vendor_file_type;
+
type vendor_hbtp_log_file, file_type, data_file_type;
type vendor_hbtp_cfg_file, file_type, vendor_file_type;
diff --git a/generic/vendor/common/file_contexts b/generic/vendor/common/file_contexts
index 6e0eb0b..dcc1f62 100644
--- a/generic/vendor/common/file_contexts
+++ b/generic/vendor/common/file_contexts
@@ -303,8 +303,9 @@
/data/vendor/audio(/.*)? u:object_r:vendor_audio_data_file:s0
# /
-/tombstones u:object_r:rootfs:s0
-/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
+/tombstones u:object_r:rootfs:s0
+/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
+/vendor/vm-system(/.*)? u:object_r:vendor_vm_system_file:s0
# /persist
/mnt/vendor/persist/data(/.*)? u:object_r:vendor_persist_data_file:s0
diff --git a/generic/vendor/common/init.te b/generic/vendor/common/init.te
index 28c940b..323e6d8 100644
--- a/generic/vendor/common/init.te
+++ b/generic/vendor/common/init.te
@@ -29,6 +29,7 @@
cache_file
mnt_vendor_file
storage_file
+ vendor_vm_system_file
}:dir mounton;
# symlink /sdcard to backing block
@@ -62,6 +63,7 @@
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
+ vendor_vm_data_block_device
}:{ blk_file lnk_file } relabelto;
#Allow /sys access to write zram disksize
diff --git a/generic/vendor/common/ueventd.te b/generic/vendor/common/ueventd.te
index 1fd94bf..a9362a0 100644
--- a/generic/vendor/common/ueventd.te
+++ b/generic/vendor/common/ueventd.te
@@ -47,6 +47,8 @@
allow ueventd tmpfs:blk_file getattr;
allow ueventd vendor_persist_file:dir search;
allow ueventd vendor_persist_file:file r_file_perms;
+allow ueventd vendor_vm_system_file:dir search;
+allow ueventd vendor_vm_system_file:file r_file_perms;
# For wifi to access mnt_vendor_file
r_dir_file(ueventd, mnt_vendor_file)
diff --git a/generic/vendor/msmnile/update_engine_common.te b/generic/vendor/common/update_engine_common.te
similarity index 100%
rename from generic/vendor/msmnile/update_engine_common.te
rename to generic/vendor/common/update_engine_common.te
diff --git a/generic/vendor/kona/update_engine_common.te b/generic/vendor/kona/update_engine_common.te
deleted file mode 100644
index fc4a39a..0000000
--- a/generic/vendor/kona/update_engine_common.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright (c) 2019, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following
-# disclaimer in the documentation and/or other materials provided
-# with the distribution.
-# * Neither the name of The Linux Foundation nor the names of its
-# contributors may be used to endorse or promote products derived
-# from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow update_engine and update_engine_sideload (recovery) read/write on the
-# device-specific partitions it should update.
-allow update_engine_common {
- vendor_custom_ab_block_device
- vendor_xbl_block_device
- vendor_uefi_block_device
- vendor_ssd_block_device
- vendor_modem_block_device
- recovery_block_device
-}:blk_file rw_file_perms;
-
-allow update_engine_common tmpfs:lnk_file r_file_perms;
-allow update_engine_common metadata_file:dir search;
-
diff --git a/generic/vendor/lahaina/file_contexts b/generic/vendor/lahaina/file_contexts
index a796e4e..f314596 100644
--- a/generic/vendor/lahaina/file_contexts
+++ b/generic/vendor/lahaina/file_contexts
@@ -50,6 +50,7 @@
/dev/block/platform/soc/1d84000.ufshc/by-name/mdm1m9kefs2 u:object_r:vendor_efs_boot_dev:s0
/dev/block/platform/soc/1d84000.ufshc/by-name/mdm1m9kefs3 u:object_r:vendor_efs_boot_dev:s0
/dev/block/platform/soc/1d84000.ufshc/by-name/mdmddr u:object_r:vendor_efs_boot_dev:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vm-data u:object_r:vendor_vm_data_block_device:s0
# A/B partitions.
/dev/block/platform/soc/1d84000.ufshc/by-name/abl_[ab] u:object_r:vendor_custom_ab_block_device:s0
@@ -89,6 +90,7 @@
/dev/block/platform/soc/1d84000.ufshc/by-name/recovery_[ab] u:object_r:recovery_block_device:s0
/dev/block/platform/soc/1d84000.ufshc/by-name/vbmeta_system_[ab] u:object_r:vendor_custom_ab_block_device:s0
/dev/block/platform/soc/1d84000.ufshc/by-name/vbmeta_product_[ab] u:object_r:vendor_custom_ab_block_device:s0
+/dev/block/platform/soc/1d84000.ufshc/by-name/vm-bootsys_[ab] u:object_r:vendor_custom_ab_block_device:s0
/dev/block/platform/soc/1d84000.ufshc/by-name/super u:object_r:super_block_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
diff --git a/generic/vendor/lito/update_engine_common.te b/generic/vendor/lito/update_engine_common.te
deleted file mode 100644
index e82e43c..0000000
--- a/generic/vendor/lito/update_engine_common.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Copyright (c) 2019, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following
-# disclaimer in the documentation and/or other materials provided
-# with the distribution.
-# * Neither the name of The Linux Foundation nor the names of its
-# contributors may be used to endorse or promote products derived
-# from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow update_engine and update_engine_sideload (recovery) read/write on the
-# device-specific partitions it should update.
-allow update_engine_common {
- vendor_custom_ab_block_device
- vendor_xbl_block_device
- vendor_uefi_block_device
- vendor_ssd_block_device
- vendor_modem_block_device
- recovery_block_device
-}:blk_file rw_file_perms;
-
-allow update_engine_common tmpfs:lnk_file r_file_perms;
-allow update_engine_common metadata_file:dir search;
diff --git a/qva/vendor/msmsteppe/update_engine_common.te b/qva/vendor/msmsteppe/update_engine_common.te
deleted file mode 100644
index 57300bd..0000000
--- a/qva/vendor/msmsteppe/update_engine_common.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following
-# disclaimer in the documentation and/or other materials provided
-# with the distribution.
-# * Neither the name of The Linux Foundation nor the names of its
-# contributors may be used to endorse or promote products derived
-# from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow update_engine and update_engine_sideload (recovery) read/write on the
-# device-specific partitions it should update.
-allow update_engine_common {
- vendor_custom_ab_block_device
- vendor_xbl_block_device
- vendor_uefi_block_device
- vendor_ssd_block_device
- vendor_modem_block_device
- recovery_block_device
-}:blk_file rw_file_perms;
-allow update_engine_common tmpfs:lnk_file r_file_perms;
-allow update_engine_common metadata_file:dir search;
diff --git a/qva/vendor/trinket/update_engine_common.te b/qva/vendor/trinket/update_engine_common.te
deleted file mode 100644
index 907b415..0000000
--- a/qva/vendor/trinket/update_engine_common.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-# * Redistributions of source code must retain the above copyright
-# notice, this list of conditions and the following disclaimer.
-# * Redistributions in binary form must reproduce the above
-# copyright notice, this list of conditions and the following
-# disclaimer in the documentation and/or other materials provided
-# with the distribution.
-# * Neither the name of The Linux Foundation nor the names of its
-# contributors may be used to endorse or promote products derived
-# from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow update_engine and update_engine_sideload (recovery) read/write on the
-# device-specific partitions it should update.
-allow update_engine_common {
- vendor_custom_ab_block_device
- vendor_xbl_block_device
- vendor_uefi_block_device
- vendor_ssd_block_device
- vendor_modem_block_device
-}:blk_file rw_file_perms;
-allow update_engine_common metadata_file:dir search;