Change the label of /product/overlay to u:object_r:system_file:s0

Overlayfs product/overlay in init first stage is allowed in AndroidS. product/overlay directory contains RRO apks, it is plausible to allow dumpstate to access it since dumpstate will call df command. Or there will be an avc denial: 01-01 07:09:37.234 13582 13582 W df : type=1400 audit(0.0:1717): avc: denied { getattr } for path="/product/overlay" dev="overlay" ino=2 scontext=u:r:dumpstate:s0 tcontext=u:object_r:vendor_overlay_file:s0 tclass=dir permissive=0 Actually, it is more reasonable to set /product/overlay to u:object_r:system_file:s0 since there already had definiitions releated to /product/overlay /mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0 /(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0 Bug: https://b.corp.google.com/u/0/issues/186342252 Signed-off-by: sunliang <sunliang@oppo.com> Change-Id: I493fab20b5530c6094bd80767a24f3250d7117a8
2021-11-29 14:30:18 +08:00 · 2021-11-29 14:30:18 +08:00 · e8d1e97ef2
commit e8d1e97ef2
parent cc82a6ae89
1 changed files with 1 additions and 1 deletions
--- a/private/file_contexts
+++ b/private/file_contexts
@ -443,7 +443,7 @@
 /(product|system/product)(/.*)?                                 u:object_r:system_file:s0
 /(product|system/product)/etc/group                             u:object_r:system_group_file:s0
 /(product|system/product)/etc/passwd                            u:object_r:system_passwd_file:s0
-/(product|system/product)/overlay(/.*)?                         u:object_r:vendor_overlay_file:s0
+/(product|system/product)/overlay(/.*)?                         u:object_r:system_file:s0

 /(product|system/product)/etc/selinux/product_file_contexts      u:object_r:file_contexts_file:s0
 /(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0