Stop using the bdev_type and sysfs_block_type SELinux attributes

Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.

The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.

This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block").  That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This commit is contained in:
Bart Van Assche 2021-10-08 09:30:42 -07:00
parent 69a7983d31
commit 4374a1fd83
7 changed files with 24 additions and 29 deletions

View file

@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
# Attribute for block devices.
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.

View file

@ -1,7 +1,7 @@
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
type binder_device, dev_type, mlstrustedobject;
type block_device, dev_type, bdev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
type dm_device, dev_type;
@ -34,7 +34,7 @@ type tun_device, dev_type, mlstrustedobject;
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type, bdev_type;
type vd_device, dev_type;
type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type, mlstrustedobject;

View file

@ -119,7 +119,6 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0

View file

@ -7,7 +7,7 @@
# in tools/checkfc.c
attribute dev_type;
# Attribute for block devices.
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute bdev_type;
# All types used for processes.
@ -68,7 +68,7 @@ expandattribute proc_net_type true;
# All types used for sysfs files.
attribute sysfs_type;
# Attribute for /sys/class/block files.
# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
attribute sysfs_block_type;
# All types use for debugfs files.

View file

@ -6,18 +6,18 @@ type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
type block_device, dev_type, bdev_type;
type block_device, dev_type;
type camera_device, dev_type;
type dm_device, dev_type, bdev_type;
type dm_user_device, dev_type, bdev_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type, bdev_type;
type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
type ram_device, dev_type, bdev_type;
type ram_device, dev_type;
type rtc_device, dev_type;
type vd_device, dev_type, bdev_type;
type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
type rpmsg_device, dev_type;
# Partition layout block device
type root_block_device, dev_type, bdev_type;
type root_block_device, dev_type;
# factory reset protection block device
type frp_block_device, dev_type, bdev_type;
type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type system_block_device, dev_type, bdev_type;
type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type recovery_block_device, dev_type, bdev_type;
type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type boot_block_device, dev_type, bdev_type;
type boot_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type userdata_block_device, dev_type, bdev_type;
type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type cache_block_device, dev_type, bdev_type;
type cache_block_device, dev_type;
# Block device for any swap partition.
type swap_block_device, dev_type, bdev_type;
type swap_block_device, dev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type metadata_block_device, dev_type, bdev_type;
type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
type misc_block_device, dev_type, bdev_type;
type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
type super_block_device, super_block_device_type, dev_type, bdev_type;
type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type, bdev_type;
type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;

View file

@ -88,11 +88,10 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_devfreq_cur, fs_type, sysfs_type;
type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
type sysfs_dma_heap, fs_type, sysfs_type;

View file

@ -157,9 +157,6 @@ allow shell sysfs:dir r_dir_perms;
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
# allow shell to list /sys/class/block/ to get storage type for CTS
allow shell sysfs_block:dir r_dir_perms;
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;