From c90dc61dc6405c13ac604b8c3ed31bc42ec3b8a9 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Tue, 7 Apr 2020 13:12:18 +0200 Subject: [PATCH] sepolicy: Add sdcard_posix_contextmount_type attribute * Since we can't use contextmount_type for sdcard_posix due to contextmount_type being read only by design we need to declare our own attribute to bypass relabelto neverallow. That way we can mount external ext4/f2fs SD with sdcard_posix context and write permissions. Test: m -j selinux_policy Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c --- prebuilts/api/202404/public/domain.te | 2 +- prebuilts/api/34.0/public/attributes | 3 +++ prebuilts/api/34.0/public/domain.te | 2 +- public/attributes | 3 +++ 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/prebuilts/api/202404/public/domain.te b/prebuilts/api/202404/public/domain.te index 0a2a5e52f..a99984eac 100644 --- a/prebuilts/api/202404/public/domain.te +++ b/prebuilts/api/202404/public/domain.te @@ -509,7 +509,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow * {fs_type -contextmount_type}:filesystem relabelto; +neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= diff --git a/prebuilts/api/34.0/public/attributes b/prebuilts/api/34.0/public/attributes index 16a8e66af..83e04c1d7 100644 --- a/prebuilts/api/34.0/public/attributes +++ b/prebuilts/api/34.0/public/attributes @@ -27,6 +27,9 @@ attribute contextmount_type; # example. attribute fusefs_type; +# All types used for sdcard_posix context= mounts. +attribute sdcard_posix_contextmount_type; + # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. # On change, update CHECK_FC_ASSERT_ATTRS diff --git a/prebuilts/api/34.0/public/domain.te b/prebuilts/api/34.0/public/domain.te index d4be2056f..4f8dc7a93 100644 --- a/prebuilts/api/34.0/public/domain.te +++ b/prebuilts/api/34.0/public/domain.te @@ -491,7 +491,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow * {fs_type -contextmount_type}:filesystem relabelto; +neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= diff --git a/public/attributes b/public/attributes index 759b773a2..9cd89fa33 100644 --- a/public/attributes +++ b/public/attributes @@ -27,6 +27,9 @@ attribute contextmount_type; # example. attribute fusefs_type; +# All types used for sdcard_posix context= mounts. +attribute sdcard_posix_contextmount_type; + # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. # On change, update CHECK_FC_ASSERT_ATTRS