diff options
| author | LuK1337 <priv.luk@gmail.com> | 2020-04-07 13:12:18 +0200 |
|---|---|---|
| committer | LuK1337 <priv.luk@gmail.com> | 2020-04-07 13:43:46 +0200 |
| commit | a4f1b32524647e8734c61d9d58626f53d061da4c (patch) | |
| tree | be54e7cd18c25995658e25d5cd4aab20bf3732a4 | |
| parent | 6d15634407ddaa1669f0e1ebd7d7bf4c0a878198 (diff) | |
| download | android_system_sepolicy-a4f1b32524647e8734c61d9d58626f53d061da4c.tar.gz android_system_sepolicy-a4f1b32524647e8734c61d9d58626f53d061da4c.tar.bz2 android_system_sepolicy-a4f1b32524647e8734c61d9d58626f53d061da4c.zip | |
sepolicy: Add sdcard_posix_contextmount_type attribute
* Since we can't use contextmount_type for sdcard_posix
due to contextmount_type being read only by design we
need to declare our own attribute to bypass relabelto
neverallow. That way we can mount external ext4/f2fs
SD with sdcard_posix context and write permissions.
Test: m -j selinux_policy
Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c
| -rw-r--r-- | prebuilts/api/29.0/public/attributes | 3 | ||||
| -rw-r--r-- | prebuilts/api/29.0/public/domain.te | 2 | ||||
| -rw-r--r-- | public/attributes | 3 | ||||
| -rw-r--r-- | public/domain.te | 2 |
4 files changed, 8 insertions, 2 deletions
diff --git a/prebuilts/api/29.0/public/attributes b/prebuilts/api/29.0/public/attributes index 857efc5d..bb6df994 100644 --- a/prebuilts/api/29.0/public/attributes +++ b/prebuilts/api/29.0/public/attributes @@ -18,6 +18,9 @@ attribute fs_type; # All types used for context= mounts. attribute contextmount_type; +# All types used for sdcard_posix context= mounts. +attribute sdcard_posix_contextmount_type; + # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. # On change, update CHECK_FC_ASSERT_ATTRS diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te index f3487018..6b8fd199 100644 --- a/prebuilts/api/29.0/public/domain.te +++ b/prebuilts/api/29.0/public/domain.te @@ -492,7 +492,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow * {fs_type -contextmount_type}:filesystem relabelto; +neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= diff --git a/public/attributes b/public/attributes index 857efc5d..bb6df994 100644 --- a/public/attributes +++ b/public/attributes @@ -18,6 +18,9 @@ attribute fs_type; # All types used for context= mounts. attribute contextmount_type; +# All types used for sdcard_posix context= mounts. +attribute sdcard_posix_contextmount_type; + # All types used for files that can exist on a labeled fs. # Do not use for pseudo file types. # On change, update CHECK_FC_ASSERT_ATTRS diff --git a/public/domain.te b/public/domain.te index f3487018..6b8fd199 100644 --- a/public/domain.te +++ b/public/domain.te @@ -492,7 +492,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren # Restrict context mounts to specific types marked with # the contextmount_type attribute. -neverallow * {fs_type -contextmount_type}:filesystem relabelto; +neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto; # Ensure that context mount types are not writable, to ensure that # the write to /system restriction above is not bypassed via context= |