Merge "sepolicy: Add label to userdata file node" am: b8cc291268 am: 0322e361eb am: c85ec347f0

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1538632

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I6b25c718e7ab2915a64170a34e57b221b2da99c6
This commit is contained in:
Treehugger Robot 2021-02-19 12:54:22 +00:00 committed by Automerger Merge Worker
commit 5b413c6577
6 changed files with 12 additions and 0 deletions

View file

@ -107,6 +107,7 @@
texttospeech_service
transformer_service
update_engine_stable_service
userdata_sysdev
usermanager_service
userspace_reboot_metadata_file
vcn_management_service

View file

@ -173,6 +173,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0

View file

@ -117,3 +117,6 @@ type super_block_device, super_block_device_type, dev_type;
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
# Userdata device file for filesystem tunables
type userdata_sysdev, dev_type;

View file

@ -600,6 +600,9 @@ allow init system_bootstrap_lib_file:file { execute read open getattr map };
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
# allow filesystem tuning
allow init userdata_sysdev:file create_file_perms;
###
### neverallow rules
###

View file

@ -0,0 +1 @@
allow userdata_sysdev sysfs:filesystem associate;

View file

@ -197,6 +197,9 @@ allow vendor_init misc_block_device:blk_file w_file_perms;
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
# allow filesystem tuning
allow vendor_init userdata_sysdev:file create_file_perms;
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`