Allow the init and apexd processes to read all block device properties am: db5e6c2424

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15515665

Change-Id: I9ddaa4a241b174295cccc8c0c2837a02f3b3e16a

prebuilts/api/31.0/private/apexd.te

@@ -51,8 +51,9 @@ allowxperm apexd loop_device:blk_file ioctl {
   BLKFLSBUF
   LOOP_CONFIGURE
 };
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
 
 #allow apexd to access virtual disks
 allow apexd vd_device:blk_file r_file_perms;
@@ -106,6 +107,8 @@ allow apexd labeledfs:filesystem { mount unmount };
 
 # /sys directory tree traversal
 allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
 # Configure read-ahead of dm-verity and loop devices
 # for dm-X
 allow apexd sysfs_dm:dir r_dir_perms;

prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil

@@ -124,6 +124,7 @@
     snapuserd_socket
     soc_prop
     speech_recognition_service
+    sysfs_block
     sysfs_devfreq_cur
     sysfs_devfreq_dir
     sysfs_devices_cs_etm

prebuilts/api/31.0/private/genfs_contexts

@@ -117,6 +117,7 @@ genfscon sysfs /devices/cs_etm                    u:object_r:sysfs_devices_cs_et
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block                       u:object_r:sysfs_block:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0

prebuilts/api/31.0/private/init.te

@@ -42,6 +42,12 @@ allow init sysfs_dm:file read;
 allow init sysfs_loop:dir r_dir_perms;
 allow init sysfs_loop:file rw_file_perms;
 
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
 # Allow init to write to the drop_caches file.
 allow init proc_drop_caches:file rw_file_perms;
 

prebuilts/api/31.0/public/attributes

@@ -7,6 +7,9 @@
 # in tools/checkfc.c
 attribute dev_type;
 
+# Attribute for block devices.
+attribute bdev_type;
+
 # All types used for processes.
 attribute domain;
 
@@ -59,6 +62,9 @@ expandattribute proc_net_type true;
 # All types used for sysfs files.
 attribute sysfs_type;
 
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
 # All types use for debugfs files.
 attribute debugfs_type;
 

prebuilts/api/31.0/public/device.te

@@ -6,16 +6,16 @@ type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
 type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
 type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
 type keychord_device, dev_type;
 type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
 type pmsg_device, dev_type, mlstrustedobject;
 type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
 type rtc_device, dev_type;
 type vd_device, dev_type;
 type vold_device, dev_type;
@@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
 type rpmsg_device, dev_type;
 
 # Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
 
 # factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
 
 # System block device mounted on /system.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
 
 # Recovery block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
 
 # boot block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
 
 # Userdata block device mounted on /data.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
 
 # Cache block device mounted on /cache.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
 
 # Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
 
 # Metadata block device used for encryption metadata.
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
 
 # The 'misc' partition used by recovery and A/B.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
 
 # 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
 
 # sdcard devices; normally vold uses the vold_block_device label and creates a
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
 
 # Userdata device file for filesystem tunables
 type userdata_sysdev, dev_type;

prebuilts/api/31.0/public/file.te

@@ -86,6 +86,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_devfreq_cur, fs_type, sysfs_type;
 type sysfs_devfreq_dir, fs_type, sysfs_type;

private/apexd.te

@@ -51,8 +51,9 @@ allowxperm apexd loop_device:blk_file ioctl {
   BLKFLSBUF
   LOOP_CONFIGURE
 };
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
 
 #allow apexd to access virtual disks
 allow apexd vd_device:blk_file r_file_perms;
@@ -106,6 +107,8 @@ allow apexd labeledfs:filesystem { mount unmount };
 
 # /sys directory tree traversal
 allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
 # Configure read-ahead of dm-verity and loop devices
 # for dm-X
 allow apexd sysfs_dm:dir r_dir_perms;

private/compat/30.0/30.0.ignore.cil

@@ -124,6 +124,7 @@
     snapuserd_socket
     soc_prop
     speech_recognition_service
+    sysfs_block
     sysfs_devfreq_cur
     sysfs_devfreq_dir
     sysfs_devices_cs_etm

private/genfs_contexts

@@ -117,6 +117,7 @@ genfscon sysfs /devices/cs_etm                    u:object_r:sysfs_devices_cs_et
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block                       u:object_r:sysfs_block:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0

private/init.te

@@ -42,6 +42,12 @@ allow init sysfs_dm:file read;
 allow init sysfs_loop:dir r_dir_perms;
 allow init sysfs_loop:file rw_file_perms;
 
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
 # Allow init to write to the drop_caches file.
 allow init proc_drop_caches:file rw_file_perms;
 

public/attributes

@@ -7,6 +7,9 @@
 # in tools/checkfc.c
 attribute dev_type;
 
+# Attribute for block devices.
+attribute bdev_type;
+
 # All types used for processes.
 attribute domain;
 
@@ -59,6 +62,9 @@ expandattribute proc_net_type true;
 # All types used for sysfs files.
 attribute sysfs_type;
 
+# Attribute for /sys/class/block files.
+attribute sysfs_block_type;
+
 # All types use for debugfs files.
 attribute debugfs_type;
 

public/device.te

@@ -6,16 +6,16 @@ type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
 type vndbinder_device, dev_type;
-type block_device, dev_type;
+type block_device, dev_type, bdev_type;
 type camera_device, dev_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
+type dm_device, dev_type, bdev_type;
+type dm_user_device, dev_type, bdev_type;
 type keychord_device, dev_type;
 type loop_control_device, dev_type;
-type loop_device, dev_type;
+type loop_device, dev_type, bdev_type;
 type pmsg_device, dev_type, mlstrustedobject;
 type radio_device, dev_type;
-type ram_device, dev_type;
+type ram_device, dev_type, bdev_type;
 type rtc_device, dev_type;
 type vd_device, dev_type;
 type vold_device, dev_type;
@@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
 type rpmsg_device, dev_type;
 
 # Partition layout block device
-type root_block_device, dev_type;
+type root_block_device, dev_type, bdev_type;
 
 # factory reset protection block device
-type frp_block_device, dev_type;
+type frp_block_device, dev_type, bdev_type;
 
 # System block device mounted on /system.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
+type system_block_device, dev_type, bdev_type;
 
 # Recovery block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
+type recovery_block_device, dev_type, bdev_type;
 
 # boot block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
+type boot_block_device, dev_type, bdev_type;
 
 # Userdata block device mounted on /data.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
+type userdata_block_device, dev_type, bdev_type;
 
 # Cache block device mounted on /cache.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
+type cache_block_device, dev_type, bdev_type;
 
 # Block device for any swap partition.
-type swap_block_device, dev_type;
+type swap_block_device, dev_type, bdev_type;
 
 # Metadata block device used for encryption metadata.
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
+type metadata_block_device, dev_type, bdev_type;
 
 # The 'misc' partition used by recovery and A/B.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
+type misc_block_device, dev_type, bdev_type;
 
 # 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
+type super_block_device, super_block_device_type, dev_type, bdev_type;
 
 # sdcard devices; normally vold uses the vold_block_device label and creates a
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
+type sdcard_block_device, dev_type, bdev_type;
 
 # Userdata device file for filesystem tunables
 type userdata_sysdev, dev_type;

public/file.te

@@ -86,6 +86,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_devfreq_cur, fs_type, sysfs_type;
 type sysfs_devfreq_dir, fs_type, sysfs_type;