Allow the init and apexd processes to read all block device properties am: db5e6c2424
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/sepolicy/+/15515665 Change-Id: I9ddaa4a241b174295cccc8c0c2837a02f3b3e16a
This commit is contained in:
Bart Van Assche
Automerger Merge Worker
commit
afea3cbde5
14 changed files with 74 additions and 38 deletions
|
|
@ -51,8 +51,9 @@ allowxperm apexd loop_device:blk_file ioctl {
|
|||
BLKFLSBUF
|
||||
LOOP_CONFIGURE
|
||||
};
|
||||
# allow apexd to access /dev/block
|
||||
allow apexd block_device:dir r_dir_perms;
|
||||
# Allow apexd to access /dev/block
|
||||
allow apexd bdev_type:dir r_dir_perms;
|
||||
allow apexd bdev_type:blk_file getattr;
|
||||
|
||||
#allow apexd to access virtual disks
|
||||
allow apexd vd_device:blk_file r_file_perms;
|
||||
|
|
@ -106,6 +107,8 @@ allow apexd labeledfs:filesystem { mount unmount };
|
|||
|
||||
# /sys directory tree traversal
|
||||
allow apexd sysfs_type:dir search;
|
||||
allow apexd sysfs_block_type:dir r_dir_perms;
|
||||
allow apexd sysfs_block_type:file r_file_perms;
|
||||
# Configure read-ahead of dm-verity and loop devices
|
||||
# for dm-X
|
||||
allow apexd sysfs_dm:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -124,6 +124,7 @@
|
|||
snapuserd_socket
|
||||
soc_prop
|
||||
speech_recognition_service
|
||||
sysfs_block
|
||||
sysfs_devfreq_cur
|
||||
sysfs_devfreq_dir
|
||||
sysfs_devices_cs_etm
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et
|
|||
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
||||
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
|
||||
genfscon sysfs /class/block u:object_r:sysfs_block:s0
|
||||
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /class/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
|
|
|
|||
|
|
@ -42,6 +42,12 @@ allow init sysfs_dm:file read;
|
|||
allow init sysfs_loop:dir r_dir_perms;
|
||||
allow init sysfs_loop:file rw_file_perms;
|
||||
|
||||
# Allow init to examine the properties of block devices.
|
||||
allow init sysfs_block_type:file { getattr read };
|
||||
# Allow init access /dev/block
|
||||
allow init bdev_type:dir r_dir_perms;
|
||||
allow init bdev_type:blk_file getattr;
|
||||
|
||||
# Allow init to write to the drop_caches file.
|
||||
allow init proc_drop_caches:file rw_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@
|
|||
# in tools/checkfc.c
|
||||
attribute dev_type;
|
||||
|
||||
# Attribute for block devices.
|
||||
attribute bdev_type;
|
||||
|
||||
# All types used for processes.
|
||||
attribute domain;
|
||||
|
||||
|
|
@ -59,6 +62,9 @@ expandattribute proc_net_type true;
|
|||
# All types used for sysfs files.
|
||||
attribute sysfs_type;
|
||||
|
||||
# Attribute for /sys/class/block files.
|
||||
attribute sysfs_block_type;
|
||||
|
||||
# All types use for debugfs files.
|
||||
attribute debugfs_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -6,16 +6,16 @@ type audio_device, dev_type;
|
|||
type binder_device, dev_type, mlstrustedobject;
|
||||
type hwbinder_device, dev_type, mlstrustedobject;
|
||||
type vndbinder_device, dev_type;
|
||||
type block_device, dev_type;
|
||||
type block_device, dev_type, bdev_type;
|
||||
type camera_device, dev_type;
|
||||
type dm_device, dev_type;
|
||||
type dm_user_device, dev_type;
|
||||
type dm_device, dev_type, bdev_type;
|
||||
type dm_user_device, dev_type, bdev_type;
|
||||
type keychord_device, dev_type;
|
||||
type loop_control_device, dev_type;
|
||||
type loop_device, dev_type;
|
||||
type loop_device, dev_type, bdev_type;
|
||||
type pmsg_device, dev_type, mlstrustedobject;
|
||||
type radio_device, dev_type;
|
||||
type ram_device, dev_type;
|
||||
type ram_device, dev_type, bdev_type;
|
||||
type rtc_device, dev_type;
|
||||
type vd_device, dev_type;
|
||||
type vold_device, dev_type;
|
||||
|
|
@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
|
|||
type rpmsg_device, dev_type;
|
||||
|
||||
# Partition layout block device
|
||||
type root_block_device, dev_type;
|
||||
type root_block_device, dev_type, bdev_type;
|
||||
|
||||
# factory reset protection block device
|
||||
type frp_block_device, dev_type;
|
||||
type frp_block_device, dev_type, bdev_type;
|
||||
|
||||
# System block device mounted on /system.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type system_block_device, dev_type;
|
||||
type system_block_device, dev_type, bdev_type;
|
||||
|
||||
# Recovery block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type recovery_block_device, dev_type;
|
||||
type recovery_block_device, dev_type, bdev_type;
|
||||
|
||||
# boot block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type boot_block_device, dev_type;
|
||||
type boot_block_device, dev_type, bdev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type userdata_block_device, dev_type;
|
||||
type userdata_block_device, dev_type, bdev_type;
|
||||
|
||||
# Cache block device mounted on /cache.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type cache_block_device, dev_type;
|
||||
type cache_block_device, dev_type, bdev_type;
|
||||
|
||||
# Block device for any swap partition.
|
||||
type swap_block_device, dev_type;
|
||||
type swap_block_device, dev_type, bdev_type;
|
||||
|
||||
# Metadata block device used for encryption metadata.
|
||||
# Assign this type to the partition specified by the encryptable=
|
||||
# mount option in your fstab file in the entry for userdata.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type metadata_block_device, dev_type;
|
||||
type metadata_block_device, dev_type, bdev_type;
|
||||
|
||||
# The 'misc' partition used by recovery and A/B.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type misc_block_device, dev_type;
|
||||
type misc_block_device, dev_type, bdev_type;
|
||||
|
||||
# 'super' partition to be used for logical partitioning.
|
||||
type super_block_device, super_block_device_type, dev_type;
|
||||
type super_block_device, super_block_device_type, dev_type, bdev_type;
|
||||
|
||||
# sdcard devices; normally vold uses the vold_block_device label and creates a
|
||||
# separate device node. gsid, however, accesses the original devide node
|
||||
# created through uevents, so we use a separate label.
|
||||
type sdcard_block_device, dev_type;
|
||||
type sdcard_block_device, dev_type, bdev_type;
|
||||
|
||||
# Userdata device file for filesystem tunables
|
||||
type userdata_sysdev, dev_type;
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
|||
type sysfs_android_usb, fs_type, sysfs_type;
|
||||
type sysfs_uio, sysfs_type, fs_type;
|
||||
type sysfs_batteryinfo, fs_type, sysfs_type;
|
||||
type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
|
||||
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_devfreq_cur, fs_type, sysfs_type;
|
||||
type sysfs_devfreq_dir, fs_type, sysfs_type;
|
||||
|
|
|
|||
|
|
@ -51,8 +51,9 @@ allowxperm apexd loop_device:blk_file ioctl {
|
|||
BLKFLSBUF
|
||||
LOOP_CONFIGURE
|
||||
};
|
||||
# allow apexd to access /dev/block
|
||||
allow apexd block_device:dir r_dir_perms;
|
||||
# Allow apexd to access /dev/block
|
||||
allow apexd bdev_type:dir r_dir_perms;
|
||||
allow apexd bdev_type:blk_file getattr;
|
||||
|
||||
#allow apexd to access virtual disks
|
||||
allow apexd vd_device:blk_file r_file_perms;
|
||||
|
|
@ -106,6 +107,8 @@ allow apexd labeledfs:filesystem { mount unmount };
|
|||
|
||||
# /sys directory tree traversal
|
||||
allow apexd sysfs_type:dir search;
|
||||
allow apexd sysfs_block_type:dir r_dir_perms;
|
||||
allow apexd sysfs_block_type:file r_file_perms;
|
||||
# Configure read-ahead of dm-verity and loop devices
|
||||
# for dm-X
|
||||
allow apexd sysfs_dm:dir r_dir_perms;
|
||||
|
|
|
|||
|
|
@ -124,6 +124,7 @@
|
|||
snapuserd_socket
|
||||
soc_prop
|
||||
speech_recognition_service
|
||||
sysfs_block
|
||||
sysfs_devfreq_cur
|
||||
sysfs_devfreq_dir
|
||||
sysfs_devices_cs_etm
|
||||
|
|
|
|||
|
|
@ -117,6 +117,7 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et
|
|||
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
||||
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
|
||||
genfscon sysfs /class/block u:object_r:sysfs_block:s0
|
||||
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /class/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
|
|
|
|||
|
|
@ -42,6 +42,12 @@ allow init sysfs_dm:file read;
|
|||
allow init sysfs_loop:dir r_dir_perms;
|
||||
allow init sysfs_loop:file rw_file_perms;
|
||||
|
||||
# Allow init to examine the properties of block devices.
|
||||
allow init sysfs_block_type:file { getattr read };
|
||||
# Allow init access /dev/block
|
||||
allow init bdev_type:dir r_dir_perms;
|
||||
allow init bdev_type:blk_file getattr;
|
||||
|
||||
# Allow init to write to the drop_caches file.
|
||||
allow init proc_drop_caches:file rw_file_perms;
|
||||
|
||||
|
|
|
|||
|
|
@ -7,6 +7,9 @@
|
|||
# in tools/checkfc.c
|
||||
attribute dev_type;
|
||||
|
||||
# Attribute for block devices.
|
||||
attribute bdev_type;
|
||||
|
||||
# All types used for processes.
|
||||
attribute domain;
|
||||
|
||||
|
|
@ -59,6 +62,9 @@ expandattribute proc_net_type true;
|
|||
# All types used for sysfs files.
|
||||
attribute sysfs_type;
|
||||
|
||||
# Attribute for /sys/class/block files.
|
||||
attribute sysfs_block_type;
|
||||
|
||||
# All types use for debugfs files.
|
||||
attribute debugfs_type;
|
||||
|
||||
|
|
|
|||
|
|
@ -6,16 +6,16 @@ type audio_device, dev_type;
|
|||
type binder_device, dev_type, mlstrustedobject;
|
||||
type hwbinder_device, dev_type, mlstrustedobject;
|
||||
type vndbinder_device, dev_type;
|
||||
type block_device, dev_type;
|
||||
type block_device, dev_type, bdev_type;
|
||||
type camera_device, dev_type;
|
||||
type dm_device, dev_type;
|
||||
type dm_user_device, dev_type;
|
||||
type dm_device, dev_type, bdev_type;
|
||||
type dm_user_device, dev_type, bdev_type;
|
||||
type keychord_device, dev_type;
|
||||
type loop_control_device, dev_type;
|
||||
type loop_device, dev_type;
|
||||
type loop_device, dev_type, bdev_type;
|
||||
type pmsg_device, dev_type, mlstrustedobject;
|
||||
type radio_device, dev_type;
|
||||
type ram_device, dev_type;
|
||||
type ram_device, dev_type, bdev_type;
|
||||
type rtc_device, dev_type;
|
||||
type vd_device, dev_type;
|
||||
type vold_device, dev_type;
|
||||
|
|
@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
|
|||
type rpmsg_device, dev_type;
|
||||
|
||||
# Partition layout block device
|
||||
type root_block_device, dev_type;
|
||||
type root_block_device, dev_type, bdev_type;
|
||||
|
||||
# factory reset protection block device
|
||||
type frp_block_device, dev_type;
|
||||
type frp_block_device, dev_type, bdev_type;
|
||||
|
||||
# System block device mounted on /system.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type system_block_device, dev_type;
|
||||
type system_block_device, dev_type, bdev_type;
|
||||
|
||||
# Recovery block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type recovery_block_device, dev_type;
|
||||
type recovery_block_device, dev_type, bdev_type;
|
||||
|
||||
# boot block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type boot_block_device, dev_type;
|
||||
type boot_block_device, dev_type, bdev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type userdata_block_device, dev_type;
|
||||
type userdata_block_device, dev_type, bdev_type;
|
||||
|
||||
# Cache block device mounted on /cache.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type cache_block_device, dev_type;
|
||||
type cache_block_device, dev_type, bdev_type;
|
||||
|
||||
# Block device for any swap partition.
|
||||
type swap_block_device, dev_type;
|
||||
type swap_block_device, dev_type, bdev_type;
|
||||
|
||||
# Metadata block device used for encryption metadata.
|
||||
# Assign this type to the partition specified by the encryptable=
|
||||
# mount option in your fstab file in the entry for userdata.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type metadata_block_device, dev_type;
|
||||
type metadata_block_device, dev_type, bdev_type;
|
||||
|
||||
# The 'misc' partition used by recovery and A/B.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type misc_block_device, dev_type;
|
||||
type misc_block_device, dev_type, bdev_type;
|
||||
|
||||
# 'super' partition to be used for logical partitioning.
|
||||
type super_block_device, super_block_device_type, dev_type;
|
||||
type super_block_device, super_block_device_type, dev_type, bdev_type;
|
||||
|
||||
# sdcard devices; normally vold uses the vold_block_device label and creates a
|
||||
# separate device node. gsid, however, accesses the original devide node
|
||||
# created through uevents, so we use a separate label.
|
||||
type sdcard_block_device, dev_type;
|
||||
type sdcard_block_device, dev_type, bdev_type;
|
||||
|
||||
# Userdata device file for filesystem tunables
|
||||
type userdata_sysdev, dev_type;
|
||||
|
|
|
|||
|
|
@ -86,6 +86,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
|||
type sysfs_android_usb, fs_type, sysfs_type;
|
||||
type sysfs_uio, sysfs_type, fs_type;
|
||||
type sysfs_batteryinfo, fs_type, sysfs_type;
|
||||
type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
|
||||
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_devfreq_cur, fs_type, sysfs_type;
|
||||
type sysfs_devfreq_dir, fs_type, sysfs_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue