Add kernel permission for bootconfig proc file
Just before selinux is set up, the kernel context must be allowed to access the /proc/bootconfig file to read the state of the androidboot.selinux= property. Such permission was already granted for accessing the /proc/cmdline file for the same reason. Bug: 173815685 Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive Test: launch_cvd -guest_enforce_security=false [bootconfig method] [..] init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1. [..] Change-Id: I999c0c9d736bed18e5daea81bb0f8cc78350eba7
This commit is contained in:
parent
4fb7098514
commit
ab8b3dfec5
@ -5,7 +5,12 @@ allow kernel self:global_capability_class_set sys_nice;
|
||||
|
||||
# Root fs.
|
||||
r_dir_file(kernel, rootfs)
|
||||
allow kernel proc_cmdline:file r_file_perms;
|
||||
|
||||
# Used to read androidboot.selinux property
|
||||
allow kernel {
|
||||
proc_bootconfig
|
||||
proc_cmdline
|
||||
}:file r_file_perms;
|
||||
|
||||
# Get SELinux enforcing status.
|
||||
allow kernel selinuxfs:dir r_dir_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user