Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
The gpt_fdisk project was updated recently, but sepolicy was not updated
with it :) Now sgdisk can use BLKPBSZGET to detect the physical block
size. Seen on cuttlefish when adding external SD Card support to it.
avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:252,16"
dev="tmpfs" ino=8625 ioctlcmd=0x127b scontext=u:r:sgdisk:s0
tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Bug: 156286088
Change-Id: I9f2df88ee253261b52f3022838380fbb1cab6da0
Allow sgdisk to force the kernel to re-read the partition table.
Addresses the following denial:
avc: denied { ioctl } for path=/dev/block/vold/disk:7,0 dev=tmpfs ino=710640 ioctlcmd=125f scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Bug: 118890056
Test: policy compiles
Test:
1) adb shell sm set-force-adoptable on
2) adb shell sm set-virtual-disk true
3) On device, pick the drop-down notification and
choose "use as phone/internal storage" to adopt the virtual SD card.
Change-Id: I6825cf526cc48aa2a17afab14eadb6134bfc56f9
Add support for the HDIO_GETGEO and BLKGETSIZE ioctls when operating on
/dev/block/vold/ block devices.
HDIO_GETGEO is needed by the sgdisk code to get the number of heads on
the disk drive, likely a side effect of the age of this code.
646af625ce/diskio-unix.cc (193)
Addresses the following denial:
audit(0.0:1775): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x301 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Technically we don't need to grant this, as the sgdisk code will
fall back to using BLKGETSIZE64 if BLKGETSIZE fails.
646af625ce/diskio-unix.cc (430)
Addresses the following denial:
audit(0.0:1778): avc: denied { ioctl } for comm="sgdisk" path="/dev/block/vold/disk:8,96" dev="tmpfs" ino=10740855 ioctlcmd=0x1260 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
Test: policy compiles.
Change-Id: Iaa5274721e8a7d1741591570e9e5305723aad640
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.
Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.
Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
In kernel 4.7, the capability and capability2 classes were split apart
from cap_userns and cap2_userns (see kernel commit
8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be
run in a container with SELinux in enforcing mode.
This change applies the existing capability rules to user namespaces as
well as the root namespace so that Android running in a container
behaves the same on pre- and post-4.7 kernels.
This is essentially:
1. New global_capability_class_set and global_capability2_class_set
that match capability+cap_userns and capability2+cap2_userns,
respectively.
2. s/self:capability/self:global_capability_class_set/g
3. s/self:capability2/self:global_capability2_class_set/g
4. Add cap_userns and cap2_userns to the existing capability_class_set
so that it covers all capabilities. This set was used by several
neverallow and dontaudit rules, and I confirmed that the new
classes are still appropriate.
Test: diff new policy against old and confirm that all new rules add
only cap_userns or cap2_userns;
Boot ARC++ on a device with the 4.12 kernel.
Bug: crbug.com/754831
Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f
Divide policy into public and private components. This is the first
step in splitting the policy creation for platform and non-platform
policies. The policy in the public directory will be exported for use
in non-platform policy creation. Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.
Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal. For now, almost all types and
avrules are left in public.
Test: Tested by building policy and running on device.
Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
