Merge "Remove the bdev_type and sysfs_block_type SELinux attributes" am: 187ffea5b8
am: 81f861e9fc
am: b602e2e510
am: 27c8e3fabc
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919 Change-Id: I2bc03021167e7d8e35f4bf92fe54f09271323597
This commit is contained in:
commit
f3c3c05d72
9 changed files with 29 additions and 35 deletions
|
@ -7,9 +7,6 @@
|
|||
# in tools/checkfc.c
|
||||
attribute dev_type;
|
||||
|
||||
# Attribute for block devices.
|
||||
attribute bdev_type;
|
||||
|
||||
# All types used for processes.
|
||||
attribute domain;
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
type ashmem_device, dev_type, mlstrustedobject;
|
||||
type ashmem_libcutils_device, dev_type, mlstrustedobject;
|
||||
type binder_device, dev_type, mlstrustedobject;
|
||||
type block_device, dev_type, bdev_type;
|
||||
type block_device, dev_type;
|
||||
type console_device, dev_type;
|
||||
type device, dev_type, fs_type;
|
||||
type dm_device, dev_type;
|
||||
|
@ -34,7 +34,7 @@ type tun_device, dev_type, mlstrustedobject;
|
|||
type uhid_device, dev_type, mlstrustedobject;
|
||||
type uio_device, dev_type;
|
||||
type userdata_sysdev, dev_type;
|
||||
type vd_device, dev_type, bdev_type;
|
||||
type vd_device, dev_type;
|
||||
type vndbinder_device, dev_type;
|
||||
type vsock_device, dev_type;
|
||||
type zero_device, dev_type, mlstrustedobject;
|
||||
|
|
|
@ -82,6 +82,7 @@
|
|||
(type battery_service)
|
||||
(type batteryproperties_service)
|
||||
(type batterystats_service)
|
||||
(type bdev_type)
|
||||
(type binder_cache_bluetooth_server_prop)
|
||||
(type binder_cache_system_server_prop)
|
||||
(type binder_cache_telephony_server_prop)
|
||||
|
@ -943,6 +944,7 @@
|
|||
(type sysfs)
|
||||
(type sysfs_android_usb)
|
||||
(type sysfs_batteryinfo)
|
||||
(type sysfs_block_type)
|
||||
(type sysfs_bluetooth_writable)
|
||||
(type sysfs_devfreq_cur)
|
||||
(type sysfs_devfreq_dir)
|
||||
|
@ -1852,6 +1854,7 @@
|
|||
(typeattribute battery_service_31_0)
|
||||
(typeattribute batteryproperties_service_31_0)
|
||||
(typeattribute batterystats_service_31_0)
|
||||
(typeattribute bdev_type_31_0)
|
||||
(typeattribute binder_cache_bluetooth_server_prop_31_0)
|
||||
(typeattribute binder_cache_system_server_prop_31_0)
|
||||
(typeattribute binder_cache_telephony_server_prop_31_0)
|
||||
|
@ -2968,6 +2971,7 @@
|
|||
(typeattribute sysfs_31_0)
|
||||
(typeattribute sysfs_android_usb_31_0)
|
||||
(typeattribute sysfs_batteryinfo_31_0)
|
||||
(typeattribute sysfs_block_type_31_0)
|
||||
(typeattribute sysfs_bluetooth_writable_31_0)
|
||||
(typeattribute sysfs_devfreq_cur_31_0)
|
||||
(typeattribute sysfs_devfreq_dir_31_0)
|
||||
|
|
|
@ -91,6 +91,7 @@
|
|||
(expandtypeattribute (battery_service_31_0) true)
|
||||
(expandtypeattribute (batteryproperties_service_31_0) true)
|
||||
(expandtypeattribute (batterystats_service_31_0) true)
|
||||
(expandtypeattribute (bdev_type_31_0) true)
|
||||
(expandtypeattribute (binder_cache_bluetooth_server_prop_31_0) true)
|
||||
(expandtypeattribute (binder_cache_system_server_prop_31_0) true)
|
||||
(expandtypeattribute (binder_cache_telephony_server_prop_31_0) true)
|
||||
|
@ -952,6 +953,7 @@
|
|||
(expandtypeattribute (sysfs_31_0) true)
|
||||
(expandtypeattribute (sysfs_android_usb_31_0) true)
|
||||
(expandtypeattribute (sysfs_batteryinfo_31_0) true)
|
||||
(expandtypeattribute (sysfs_block_type_31_0) true)
|
||||
(expandtypeattribute (sysfs_bluetooth_writable_31_0) true)
|
||||
(expandtypeattribute (sysfs_devfreq_cur_31_0) true)
|
||||
(expandtypeattribute (sysfs_devfreq_dir_31_0) true)
|
||||
|
@ -1321,6 +1323,7 @@
|
|||
(typeattributeset battery_service_31_0 (battery_service))
|
||||
(typeattributeset batteryproperties_service_31_0 (batteryproperties_service))
|
||||
(typeattributeset batterystats_service_31_0 (batterystats_service))
|
||||
(typeattributeset bdev_type_31_0 (bdev_type))
|
||||
(typeattributeset binder_cache_bluetooth_server_prop_31_0 (binder_cache_bluetooth_server_prop))
|
||||
(typeattributeset binder_cache_system_server_prop_31_0 (binder_cache_system_server_prop))
|
||||
(typeattributeset binder_cache_telephony_server_prop_31_0 (binder_cache_telephony_server_prop))
|
||||
|
@ -2182,6 +2185,7 @@
|
|||
(typeattributeset sysfs_31_0 (sysfs))
|
||||
(typeattributeset sysfs_android_usb_31_0 (sysfs_android_usb))
|
||||
(typeattributeset sysfs_batteryinfo_31_0 (sysfs_batteryinfo))
|
||||
(typeattributeset sysfs_block_type_31_0 (sysfs_block_type))
|
||||
(typeattributeset sysfs_bluetooth_writable_31_0 (sysfs_bluetooth_writable))
|
||||
(typeattributeset sysfs_devfreq_cur_31_0 (sysfs_devfreq_cur))
|
||||
(typeattributeset sysfs_devfreq_dir_31_0 (sysfs_devfreq_dir))
|
||||
|
|
|
@ -119,7 +119,6 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et
|
|||
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
||||
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
|
||||
genfscon sysfs /class/block u:object_r:sysfs_block:s0
|
||||
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /class/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
|
|
|
@ -7,9 +7,6 @@
|
|||
# in tools/checkfc.c
|
||||
attribute dev_type;
|
||||
|
||||
# Attribute for block devices.
|
||||
attribute bdev_type;
|
||||
|
||||
# All types used for processes.
|
||||
attribute domain;
|
||||
|
||||
|
@ -68,9 +65,6 @@ expandattribute proc_net_type true;
|
|||
# All types used for sysfs files.
|
||||
attribute sysfs_type;
|
||||
|
||||
# Attribute for /sys/class/block files.
|
||||
attribute sysfs_block_type;
|
||||
|
||||
# All types use for debugfs files.
|
||||
attribute debugfs_type;
|
||||
|
||||
|
|
|
@ -6,18 +6,18 @@ type audio_device, dev_type;
|
|||
type binder_device, dev_type, mlstrustedobject;
|
||||
type hwbinder_device, dev_type, mlstrustedobject;
|
||||
type vndbinder_device, dev_type;
|
||||
type block_device, dev_type, bdev_type;
|
||||
type block_device, dev_type;
|
||||
type camera_device, dev_type;
|
||||
type dm_device, dev_type, bdev_type;
|
||||
type dm_user_device, dev_type, bdev_type;
|
||||
type dm_device, dev_type;
|
||||
type dm_user_device, dev_type;
|
||||
type keychord_device, dev_type;
|
||||
type loop_control_device, dev_type;
|
||||
type loop_device, dev_type, bdev_type;
|
||||
type loop_device, dev_type;
|
||||
type pmsg_device, dev_type, mlstrustedobject;
|
||||
type radio_device, dev_type;
|
||||
type ram_device, dev_type, bdev_type;
|
||||
type ram_device, dev_type;
|
||||
type rtc_device, dev_type;
|
||||
type vd_device, dev_type, bdev_type;
|
||||
type vd_device, dev_type;
|
||||
type vold_device, dev_type;
|
||||
type console_device, dev_type;
|
||||
type fscklogs, dev_type;
|
||||
|
@ -73,51 +73,51 @@ type hci_attach_dev, dev_type;
|
|||
type rpmsg_device, dev_type;
|
||||
|
||||
# Partition layout block device
|
||||
type root_block_device, dev_type, bdev_type;
|
||||
type root_block_device, dev_type;
|
||||
|
||||
# factory reset protection block device
|
||||
type frp_block_device, dev_type, bdev_type;
|
||||
type frp_block_device, dev_type;
|
||||
|
||||
# System block device mounted on /system.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type system_block_device, dev_type, bdev_type;
|
||||
type system_block_device, dev_type;
|
||||
|
||||
# Recovery block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type recovery_block_device, dev_type, bdev_type;
|
||||
type recovery_block_device, dev_type;
|
||||
|
||||
# boot block device.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type boot_block_device, dev_type, bdev_type;
|
||||
type boot_block_device, dev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type userdata_block_device, dev_type, bdev_type;
|
||||
type userdata_block_device, dev_type;
|
||||
|
||||
# Cache block device mounted on /cache.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type cache_block_device, dev_type, bdev_type;
|
||||
type cache_block_device, dev_type;
|
||||
|
||||
# Block device for any swap partition.
|
||||
type swap_block_device, dev_type, bdev_type;
|
||||
type swap_block_device, dev_type;
|
||||
|
||||
# Metadata block device used for encryption metadata.
|
||||
# Assign this type to the partition specified by the encryptable=
|
||||
# mount option in your fstab file in the entry for userdata.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type metadata_block_device, dev_type, bdev_type;
|
||||
type metadata_block_device, dev_type;
|
||||
|
||||
# The 'misc' partition used by recovery and A/B.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions-images
|
||||
type misc_block_device, dev_type, bdev_type;
|
||||
type misc_block_device, dev_type;
|
||||
|
||||
# 'super' partition to be used for logical partitioning.
|
||||
type super_block_device, super_block_device_type, dev_type, bdev_type;
|
||||
type super_block_device, super_block_device_type, dev_type;
|
||||
|
||||
# sdcard devices; normally vold uses the vold_block_device label and creates a
|
||||
# separate device node. gsid, however, accesses the original devide node
|
||||
# created through uevents, so we use a separate label.
|
||||
type sdcard_block_device, dev_type, bdev_type;
|
||||
type sdcard_block_device, dev_type;
|
||||
|
||||
# Userdata device file for filesystem tunables
|
||||
type userdata_sysdev, dev_type;
|
||||
|
|
|
@ -88,11 +88,10 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
|
|||
type sysfs_android_usb, fs_type, sysfs_type;
|
||||
type sysfs_uio, sysfs_type, fs_type;
|
||||
type sysfs_batteryinfo, fs_type, sysfs_type;
|
||||
type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
|
||||
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_devfreq_cur, fs_type, sysfs_type;
|
||||
type sysfs_devfreq_dir, fs_type, sysfs_type;
|
||||
type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
|
||||
type sysfs_devices_block, fs_type, sysfs_type;
|
||||
type sysfs_dm, fs_type, sysfs_type;
|
||||
type sysfs_dm_verity, fs_type, sysfs_type;
|
||||
type sysfs_dma_heap, fs_type, sysfs_type;
|
||||
|
|
|
@ -157,9 +157,6 @@ allow shell sysfs:dir r_dir_perms;
|
|||
allow shell sysfs_batteryinfo:dir r_dir_perms;
|
||||
allow shell sysfs_batteryinfo:file r_file_perms;
|
||||
|
||||
# allow shell to list /sys/class/block/ to get storage type for CTS
|
||||
allow shell sysfs_block:dir r_dir_perms;
|
||||
|
||||
# Allow access to ion memory allocation device.
|
||||
allow shell ion_device:chr_file rw_file_perms;
|
||||
|
||||
|
|
Loading…
Reference in a new issue