sepolicy: Add label to userdata file node
The userdata file node should be labeled to
avoid avc denied.
Bug: 171760673
Bug: 177364376
Test: build pass
Signed-off-by: Randall Huang <huangrandall@google.com>
Change-Id: I9ba89c75c120864c64ea278934b15edc3ba18a6c
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 1e40893..bf02085 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -106,6 +106,7 @@
texttospeech_service
transformer_service
update_engine_stable_service
+ userdata_sysdev
usermanager_service
userspace_reboot_metadata_file
vcn_management_service
diff --git a/private/file_contexts b/private/file_contexts
index bc33aed..b7c5628 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -173,6 +173,7 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
diff --git a/public/device.te b/public/device.te
index d98806a..e2dc511 100644
--- a/public/device.te
+++ b/public/device.te
@@ -117,3 +117,6 @@
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;
diff --git a/public/init.te b/public/init.te
index 069f17d..fdb1694 100644
--- a/public/init.te
+++ b/public/init.te
@@ -600,6 +600,9 @@
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
+# allow filesystem tuning
+allow init userdata_sysdev:file create_file_perms;
+
###
### neverallow rules
###
diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
new file mode 100644
index 0000000..9974f36
--- /dev/null
+++ b/public/userdata_sysdev.te
@@ -0,0 +1 @@
+allow userdata_sysdev sysfs:filesystem associate;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 97cbd0d..a54befb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -197,6 +197,9 @@
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
+# allow filesystem tuning
+allow vendor_init userdata_sysdev:file create_file_perms;
+
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`