PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add kernel permission for bootconfig proc file

Browse Source 
Just before selinux is set up, the kernel context must be allowed to
access the /proc/bootconfig file to read the state of the
androidboot.selinux= property. Such permission was already granted for
accessing the /proc/cmdline file for the same reason.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive
Test: launch_cvd -guest_enforce_security=false [bootconfig method]
[..]
init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.
[..]
Change-Id: I999c0c9d736bed18e5daea81bb0f8cc78350eba7
This commit is contained in:
Alistair Delva 2021-03-09 11:29:47 -08:00
parent 4fb7098514
commit ab8b3dfec5
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
public/kernel.te
View File

@ -5,7 +5,12 @@ allow kernel self:global_capability_class_set sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
allow kernel proc_cmdline:file r_file_perms;
# Used to read androidboot.selinux property
allow kernel {
proc_bootconfig
proc_cmdline
}:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;