sepolicy: Add sdcard_posix_contextmount_type attribute
* Since we can't use contextmount_type for sdcard_posix due to contextmount_type being read only by design we need to declare our own attribute to bypass relabelto neverallow. That way we can mount external ext4/f2fs SD with sdcard_posix context and write permissions. Test: m -j selinux_policy Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c
This commit is contained in:
LuK1337
parent
ad1c4255c4
commit
c90dc61dc6
4 changed files with 8 additions and 2 deletions
|
|
@ -509,7 +509,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren
|
||||||
|
|
||||||
# Restrict context mounts to specific types marked with
|
# Restrict context mounts to specific types marked with
|
||||||
# the contextmount_type attribute.
|
# the contextmount_type attribute.
|
||||||
neverallow * {fs_type -contextmount_type}:filesystem relabelto;
|
neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;
|
||||||
|
|
||||||
# Ensure that context mount types are not writable, to ensure that
|
# Ensure that context mount types are not writable, to ensure that
|
||||||
# the write to /system restriction above is not bypassed via context=
|
# the write to /system restriction above is not bypassed via context=
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,9 @@ attribute contextmount_type;
|
||||||
# example.
|
# example.
|
||||||
attribute fusefs_type;
|
attribute fusefs_type;
|
||||||
|
|
||||||
|
# All types used for sdcard_posix context= mounts.
|
||||||
|
attribute sdcard_posix_contextmount_type;
|
||||||
|
|
||||||
# All types used for files that can exist on a labeled fs.
|
# All types used for files that can exist on a labeled fs.
|
||||||
# Do not use for pseudo file types.
|
# Do not use for pseudo file types.
|
||||||
# On change, update CHECK_FC_ASSERT_ATTRS
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
||||||
|
|
|
||||||
|
|
@ -491,7 +491,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren
|
||||||
|
|
||||||
# Restrict context mounts to specific types marked with
|
# Restrict context mounts to specific types marked with
|
||||||
# the contextmount_type attribute.
|
# the contextmount_type attribute.
|
||||||
neverallow * {fs_type -contextmount_type}:filesystem relabelto;
|
neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;
|
||||||
|
|
||||||
# Ensure that context mount types are not writable, to ensure that
|
# Ensure that context mount types are not writable, to ensure that
|
||||||
# the write to /system restriction above is not bypassed via context=
|
# the write to /system restriction above is not bypassed via context=
|
||||||
|
|
|
||||||
|
|
@ -27,6 +27,9 @@ attribute contextmount_type;
|
||||||
# example.
|
# example.
|
||||||
attribute fusefs_type;
|
attribute fusefs_type;
|
||||||
|
|
||||||
|
# All types used for sdcard_posix context= mounts.
|
||||||
|
attribute sdcard_posix_contextmount_type;
|
||||||
|
|
||||||
# All types used for files that can exist on a labeled fs.
|
# All types used for files that can exist on a labeled fs.
|
||||||
# Do not use for pseudo file types.
|
# Do not use for pseudo file types.
|
||||||
# On change, update CHECK_FC_ASSERT_ATTRS
|
# On change, update CHECK_FC_ASSERT_ATTRS
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue