sepolicy: Add label to userdata file node

The userdata file node should be labeled to avoid avc denied. Bug: 171760673 Bug: 177364376 Test: build pass Signed-off-by: Randall Huang <huangrandall@google.com> Change-Id: I9ba89c75c120864c64ea278934b15edc3ba18a6c
2021-02-19 07:45:02 +08:00 · 2021-02-19 07:45:02 +08:00 · 10d42cec51
commit 10d42cec51
parent 1aad552cfd
6 changed files with 12 additions and 0 deletions
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@ -106,6 +106,7 @@
    texttospeech_service
    transformer_service
    update_engine_stable_service
+    userdata_sysdev
    usermanager_service
    userspace_reboot_metadata_file
    vcn_management_service
--- a/private/file_contexts
+++ b/private/file_contexts
@ -173,6 +173,7 @@
 /dev/socket/usap_pool_primary	u:object_r:zygote_socket:s0
 /dev/socket/usap_pool_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
+/dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
--- a/public/device.te
+++ b/public/device.te
@ -117,3 +117,6 @@ type super_block_device, super_block_device_type, dev_type;
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
 type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
--- a/public/init.te
+++ b/public/init.te
@ -600,6 +600,9 @@ allow init system_bootstrap_lib_file:file { execute read open getattr map };
 # stat the root dir of fuse filesystems (for the mount handler)
 allow init fuse:dir { search getattr };

+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
 ###
 ### neverallow rules
 ###
--- a/public/userdata_sysdev.te
+++ b/public/userdata_sysdev.te
@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@ -197,6 +197,9 @@ allow vendor_init misc_block_device:blk_file w_file_perms;
 allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
 allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };

+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
 # Everything is labeled as rootfs in recovery mode. Vendor init has to execute
 # the dynamic linker and shared libraries.
 recovery_only(`
				`@ -0,0 +1 @@`
				`allow userdata_sysdev sysfs:filesystem associate;`