From 52238a1e0c4901535df6ebcd0d38302666d06014 Mon Sep 17 00:00:00 2001 From: Eric Biggers Date: Wed, 27 Apr 2022 00:16:04 +0000 Subject: [PATCH] toolbox.te: remove unneeded FS_IOC_FS[GS]ETXATTR permission These ioctls don't need to be allowed, as they'd only be needed to set project quota IDs. But this is only done by other domains (installd, vold, and mediaprovider_app). Probably it was originally planned for an init script to run 'chattr -p ID', but this didn't end up happening. This is a basically revert of commit 4de3228c461d ("Allow toolbox to set project quota IDs.") (https://r.android.com/1224007). Also remove an outdated comment at the top of the file. Test: booted Cuttlefish, no denials seen. Change-Id: If61179a35f419c6cbfcf1432a86b2c1375db71ed --- public/toolbox.te | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/public/toolbox.te b/public/toolbox.te index 4c2cc3eab..93adbc40c 100644 --- a/public/toolbox.te +++ b/public/toolbox.te @@ -1,5 +1,4 @@ # Any toolbox command run by init. -# At present, the only known usage is for running mkswap via fs_mgr. # Do NOT use this domain for toolbox when run by any other domain. type toolbox, domain; type toolbox_exec, system_file_type, exec_type, file_type; @@ -28,11 +27,6 @@ allow toolbox system_data_root_file:dir { remove_name write }; allow toolbox system_data_file:dir { rmdir rw_dir_perms }; allow toolbox system_data_file:file { getattr unlink }; -# chattr +F and chattr +P /data/media in init +# chattr +F /data/media in init allow toolbox media_rw_data_file:dir { r_dir_perms setattr }; -allowxperm toolbox media_rw_data_file:dir ioctl { - FS_IOC_FSGETXATTR - FS_IOC_FSSETXATTR - FS_IOC_GETFLAGS - FS_IOC_SETFLAGS -}; +allowxperm toolbox media_rw_data_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };