SELinux policy for /dev/sys/block/by-name/rootdisk

Signed-off-by: Jaegeuk Kim <jaegeuk@google.com> Change-Id: I550dfb5649ccb5ca61ea5abbf730bd84756f047e
2022-03-06 00:47:06 -08:00 · 2022-03-06 00:47:06 -08:00 · be66c59171
commit be66c59171
parent 7bde36e94e
5 changed files with 9 additions and 0 deletions
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -56,6 +56,7 @@
    proc_watermark_scale_factor
    remotelyprovisionedkeypool_service
    resources_manager_service
+    rootdisk_sysdev
    selection_toolbar_service
    snapuserd_proxy_socket
    supplemental_process_service
--- a/private/file_contexts
+++ b/private/file_contexts
@ -171,6 +171,7 @@
 /dev/socket/usap_pool_primary	u:object_r:zygote_socket:s0
 /dev/socket/usap_pool_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
+/dev/sys/block/by-name/rootdisk(/.*)?	u:object_r:rootdisk_sysdev:s0
 /dev/sys/block/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/sys/fs/by-name/userdata(/.*)?	u:object_r:userdata_sysdev:s0
 /dev/tty		u:object_r:owntty_device:s0
--- a/public/device.te
+++ b/public/device.te
@ -121,3 +121,6 @@ type sdcard_block_device, dev_type;

 # Userdata device file for filesystem tunables
 type userdata_sysdev, dev_type;
+
+# Root disk file for disk tunables
+type rootdisk_sysdev, dev_type;
--- a/public/init.te
+++ b/public/init.te
@ -625,6 +625,9 @@ allow init fuse:dir { search getattr };
 # allow filesystem tuning
 allow init userdata_sysdev:file create_file_perms;

+# allow disk tuning
+allow init rootdisk_sysdev:file create_file_perms;
+
 ###
 ### neverallow rules
 ###
--- a/public/rootdisk_sysdev.te
+++ b/public/rootdisk_sysdev.te
@ -0,0 +1 @@
+allow rootdisk_sysdev sysfs:filesystem associate;
				`@ -0,0 +1 @@`
				`allow rootdisk_sysdev sysfs:filesystem associate;`