From 4374a1fd83bb0b174dbc859c662388a135bad8aa Mon Sep 17 00:00:00 2001 From: Bart Van Assche Date: Fri, 8 Oct 2021 09:30:42 -0700 Subject: [PATCH] Stop using the bdev_type and sysfs_block_type SELinux attributes Stop using these SELinux attributes since the apexd and init SELinux policies no longer rely on these attributes. The difference between the previous versions of this patch and the current patch is that the current patch does not remove any SELinux attributes. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656. See also https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919. This patch includes a revert of commit 8b2b951349c4 ("Restore permission for shell to list /sys/class/block"). That commit is no longer necessary since it was a bug fix for the introduction of the sysfs_block type. Bug: 202520796 Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c Signed-off-by: Bart Van Assche --- microdroid/system/public/attributes | 2 +- microdroid/system/public/device.te | 4 ++-- private/genfs_contexts | 1 - public/attributes | 4 ++-- public/device.te | 36 ++++++++++++++--------------- public/file.te | 3 +-- public/shell.te | 3 --- 7 files changed, 24 insertions(+), 29 deletions(-) diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes index ffc2b3b58..50c2c81ef 100644 --- a/microdroid/system/public/attributes +++ b/microdroid/system/public/attributes @@ -7,7 +7,7 @@ # in tools/checkfc.c attribute dev_type; -# Attribute for block devices. +# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it. attribute bdev_type; # All types used for processes. diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te index 898224c07..c03fb4d45 100644 --- a/microdroid/system/public/device.te +++ b/microdroid/system/public/device.te @@ -1,7 +1,7 @@ type ashmem_device, dev_type, mlstrustedobject; type ashmem_libcutils_device, dev_type, mlstrustedobject; type binder_device, dev_type, mlstrustedobject; -type block_device, dev_type, bdev_type; +type block_device, dev_type; type console_device, dev_type; type device, dev_type, fs_type; type dm_device, dev_type; @@ -34,7 +34,7 @@ type tun_device, dev_type, mlstrustedobject; type uhid_device, dev_type, mlstrustedobject; type uio_device, dev_type; type userdata_sysdev, dev_type; -type vd_device, dev_type, bdev_type; +type vd_device, dev_type; type vndbinder_device, dev_type; type vsock_device, dev_type; type zero_device, dev_type, mlstrustedobject; diff --git a/private/genfs_contexts b/private/genfs_contexts index 664a3b31a..8f82b5db4 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -119,7 +119,6 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0 genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /class/block u:object_r:sysfs_block:s0 genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 genfscon sysfs /class/net u:object_r:sysfs_net:s0 genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 diff --git a/public/attributes b/public/attributes index 6c37db190..b9a936731 100644 --- a/public/attributes +++ b/public/attributes @@ -7,7 +7,7 @@ # in tools/checkfc.c attribute dev_type; -# Attribute for block devices. +# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it. attribute bdev_type; # All types used for processes. @@ -68,7 +68,7 @@ expandattribute proc_net_type true; # All types used for sysfs files. attribute sysfs_type; -# Attribute for /sys/class/block files. +# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it. attribute sysfs_block_type; # All types use for debugfs files. diff --git a/public/device.te b/public/device.te index 1a71a40e1..686f95533 100644 --- a/public/device.te +++ b/public/device.te @@ -6,18 +6,18 @@ type audio_device, dev_type; type binder_device, dev_type, mlstrustedobject; type hwbinder_device, dev_type, mlstrustedobject; type vndbinder_device, dev_type; -type block_device, dev_type, bdev_type; +type block_device, dev_type; type camera_device, dev_type; -type dm_device, dev_type, bdev_type; -type dm_user_device, dev_type, bdev_type; +type dm_device, dev_type; +type dm_user_device, dev_type; type keychord_device, dev_type; type loop_control_device, dev_type; -type loop_device, dev_type, bdev_type; +type loop_device, dev_type; type pmsg_device, dev_type, mlstrustedobject; type radio_device, dev_type; -type ram_device, dev_type, bdev_type; +type ram_device, dev_type; type rtc_device, dev_type; -type vd_device, dev_type, bdev_type; +type vd_device, dev_type; type vold_device, dev_type; type console_device, dev_type; type fscklogs, dev_type; @@ -73,51 +73,51 @@ type hci_attach_dev, dev_type; type rpmsg_device, dev_type; # Partition layout block device -type root_block_device, dev_type, bdev_type; +type root_block_device, dev_type; # factory reset protection block device -type frp_block_device, dev_type, bdev_type; +type frp_block_device, dev_type; # System block device mounted on /system. # Documented at https://source.android.com/devices/bootloader/partitions-images -type system_block_device, dev_type, bdev_type; +type system_block_device, dev_type; # Recovery block device. # Documented at https://source.android.com/devices/bootloader/partitions-images -type recovery_block_device, dev_type, bdev_type; +type recovery_block_device, dev_type; # boot block device. # Documented at https://source.android.com/devices/bootloader/partitions-images -type boot_block_device, dev_type, bdev_type; +type boot_block_device, dev_type; # Userdata block device mounted on /data. # Documented at https://source.android.com/devices/bootloader/partitions-images -type userdata_block_device, dev_type, bdev_type; +type userdata_block_device, dev_type; # Cache block device mounted on /cache. # Documented at https://source.android.com/devices/bootloader/partitions-images -type cache_block_device, dev_type, bdev_type; +type cache_block_device, dev_type; # Block device for any swap partition. -type swap_block_device, dev_type, bdev_type; +type swap_block_device, dev_type; # Metadata block device used for encryption metadata. # Assign this type to the partition specified by the encryptable= # mount option in your fstab file in the entry for userdata. # Documented at https://source.android.com/devices/bootloader/partitions-images -type metadata_block_device, dev_type, bdev_type; +type metadata_block_device, dev_type; # The 'misc' partition used by recovery and A/B. # Documented at https://source.android.com/devices/bootloader/partitions-images -type misc_block_device, dev_type, bdev_type; +type misc_block_device, dev_type; # 'super' partition to be used for logical partitioning. -type super_block_device, super_block_device_type, dev_type, bdev_type; +type super_block_device, super_block_device_type, dev_type; # sdcard devices; normally vold uses the vold_block_device label and creates a # separate device node. gsid, however, accesses the original devide node # created through uevents, so we use a separate label. -type sdcard_block_device, dev_type, bdev_type; +type sdcard_block_device, dev_type; # Userdata device file for filesystem tunables type userdata_sysdev, dev_type; diff --git a/public/file.te b/public/file.te index 0b94e2ee7..ffcfd2b29 100644 --- a/public/file.te +++ b/public/file.te @@ -88,11 +88,10 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject; type sysfs_android_usb, fs_type, sysfs_type; type sysfs_uio, sysfs_type, fs_type; type sysfs_batteryinfo, fs_type, sysfs_type; -type sysfs_block, fs_type, sysfs_type, sysfs_block_type; type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_devfreq_cur, fs_type, sysfs_type; type sysfs_devfreq_dir, fs_type, sysfs_type; -type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type; +type sysfs_devices_block, fs_type, sysfs_type; type sysfs_dm, fs_type, sysfs_type; type sysfs_dm_verity, fs_type, sysfs_type; type sysfs_dma_heap, fs_type, sysfs_type; diff --git a/public/shell.te b/public/shell.te index 5fd907919..7751d63dc 100644 --- a/public/shell.te +++ b/public/shell.te @@ -157,9 +157,6 @@ allow shell sysfs:dir r_dir_perms; allow shell sysfs_batteryinfo:dir r_dir_perms; allow shell sysfs_batteryinfo:file r_file_perms; -# allow shell to list /sys/class/block/ to get storage type for CTS -allow shell sysfs_block:dir r_dir_perms; - # Allow access to ion memory allocation device. allow shell ion_device:chr_file rw_file_perms;