commit 63930d3850b1592c3a0a84734777232e81228412
author Bart Van Assche <bvanassche@google.com> Fri Oct 08 09:30:42 2021 -0700
committer Bart Van Assche <bvanassche@google.com> Mon Oct 25 16:26:07 2021 -0700
tree 4da01787642ab3d2934652f4fb9e62586e4ecf81
parent 48732e041c33a1e62cdbcd50c19e10efce08f861

Remove the bdev_type and sysfs_block_type SELinux attributes

Remove these SELinux attributes since the apexd and init SELinux policies
no longer rely on these attributes.

The only difference between a previous version of this patch and the
current patch is that the current patch moves these attributes to the
'compat' policy. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.

This patch includes a revert of commit 8b2b951349c4 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd && adb -e shell dmesg | grep avc
Change-Id: Id7d32a914e48bc74da63d87ce6a09f11e323c186
Signed-off-by: Bart Van Assche <bvanassche@google.com>

microdroid/system/public/attributes

diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index ffc2b3b..cf516dd 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -7,9 +7,6 @@
 # in tools/checkfc.c
 attribute dev_type;
 
-# Attribute for block devices.
-attribute bdev_type;
-
 # All types used for processes.
 attribute domain;
 

microdroid/system/public/device.te

diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 898224c..c03fb4d 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,7 +1,7 @@
 type ashmem_device, dev_type, mlstrustedobject;
 type ashmem_libcutils_device, dev_type, mlstrustedobject;
 type binder_device, dev_type, mlstrustedobject;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
 type console_device, dev_type;
 type device, dev_type, fs_type;
 type dm_device, dev_type;
@@ -34,7 +34,7 @@
 type uhid_device, dev_type, mlstrustedobject;
 type uio_device, dev_type;
 type userdata_sysdev, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
 type vndbinder_device, dev_type;
 type vsock_device, dev_type;
 type zero_device, dev_type, mlstrustedobject;

prebuilts/api/31.0/plat_pub_versioned.cil

diff --git a/prebuilts/api/31.0/plat_pub_versioned.cil b/prebuilts/api/31.0/plat_pub_versioned.cil
index 3f2c0be..480474a 100644
--- a/prebuilts/api/31.0/plat_pub_versioned.cil
+++ b/prebuilts/api/31.0/plat_pub_versioned.cil
@@ -82,6 +82,7 @@
 (type battery_service)
 (type batteryproperties_service)
 (type batterystats_service)
+(type bdev_type)
 (type binder_cache_bluetooth_server_prop)
 (type binder_cache_system_server_prop)
 (type binder_cache_telephony_server_prop)
@@ -943,6 +944,7 @@
 (type sysfs)
 (type sysfs_android_usb)
 (type sysfs_batteryinfo)
+(type sysfs_block_type)
 (type sysfs_bluetooth_writable)
 (type sysfs_devfreq_cur)
 (type sysfs_devfreq_dir)
@@ -1852,6 +1854,7 @@
 (typeattribute battery_service_31_0)
 (typeattribute batteryproperties_service_31_0)
 (typeattribute batterystats_service_31_0)
+(typeattribute bdev_type_31_0)
 (typeattribute binder_cache_bluetooth_server_prop_31_0)
 (typeattribute binder_cache_system_server_prop_31_0)
 (typeattribute binder_cache_telephony_server_prop_31_0)
@@ -2968,6 +2971,7 @@
 (typeattribute sysfs_31_0)
 (typeattribute sysfs_android_usb_31_0)
 (typeattribute sysfs_batteryinfo_31_0)
+(typeattribute sysfs_block_type_31_0)
 (typeattribute sysfs_bluetooth_writable_31_0)
 (typeattribute sysfs_devfreq_cur_31_0)
 (typeattribute sysfs_devfreq_dir_31_0)

private/compat/31.0/31.0.cil

diff --git a/private/compat/31.0/31.0.cil b/private/compat/31.0/31.0.cil
index 35059a9..fd92b18 100644
--- a/private/compat/31.0/31.0.cil
+++ b/private/compat/31.0/31.0.cil
@@ -91,6 +91,7 @@
 (expandtypeattribute (battery_service_31_0) true)
 (expandtypeattribute (batteryproperties_service_31_0) true)
 (expandtypeattribute (batterystats_service_31_0) true)
+(expandtypeattribute (bdev_type_31_0) true)
 (expandtypeattribute (binder_cache_bluetooth_server_prop_31_0) true)
 (expandtypeattribute (binder_cache_system_server_prop_31_0) true)
 (expandtypeattribute (binder_cache_telephony_server_prop_31_0) true)
@@ -952,6 +953,7 @@
 (expandtypeattribute (sysfs_31_0) true)
 (expandtypeattribute (sysfs_android_usb_31_0) true)
 (expandtypeattribute (sysfs_batteryinfo_31_0) true)
+(expandtypeattribute (sysfs_block_type_31_0) true)
 (expandtypeattribute (sysfs_bluetooth_writable_31_0) true)
 (expandtypeattribute (sysfs_devfreq_cur_31_0) true)
 (expandtypeattribute (sysfs_devfreq_dir_31_0) true)
@@ -1321,6 +1323,7 @@
 (typeattributeset battery_service_31_0 (battery_service))
 (typeattributeset batteryproperties_service_31_0 (batteryproperties_service))
 (typeattributeset batterystats_service_31_0 (batterystats_service))
+(typeattributeset bdev_type_31_0 (bdev_type))
 (typeattributeset binder_cache_bluetooth_server_prop_31_0 (binder_cache_bluetooth_server_prop))
 (typeattributeset binder_cache_system_server_prop_31_0 (binder_cache_system_server_prop))
 (typeattributeset binder_cache_telephony_server_prop_31_0 (binder_cache_telephony_server_prop))
@@ -2182,6 +2185,7 @@
 (typeattributeset sysfs_31_0 (sysfs))
 (typeattributeset sysfs_android_usb_31_0 (sysfs_android_usb))
 (typeattributeset sysfs_batteryinfo_31_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_block_type_31_0 (sysfs_block_type))
 (typeattributeset sysfs_bluetooth_writable_31_0 (sysfs_bluetooth_writable))
 (typeattributeset sysfs_devfreq_cur_31_0 (sysfs_devfreq_cur))
 (typeattributeset sysfs_devfreq_dir_31_0 (sysfs_devfreq_dir))

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 664a3b3..8f82b5d 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -119,7 +119,6 @@
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block                       u:object_r:sysfs_block:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0

public/attributes

diff --git a/public/attributes b/public/attributes
index 32fe98c..35a3800 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
 # in tools/checkfc.c
 attribute dev_type;
 
-# Attribute for block devices.
-attribute bdev_type;
-
 # All types used for processes.
 attribute domain;
 
@@ -68,9 +65,6 @@
 # All types used for sysfs files.
 attribute sysfs_type;
 
-# Attribute for /sys/class/block files.
-attribute sysfs_block_type;
-
 # All types use for debugfs files.
 attribute debugfs_type;
 

public/device.te

diff --git a/public/device.te b/public/device.te
index 1a71a40..686f955 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,18 @@
 type binder_device, dev_type, mlstrustedobject;
 type hwbinder_device, dev_type, mlstrustedobject;
 type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
 type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
 type keychord_device, dev_type;
 type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
 type pmsg_device, dev_type, mlstrustedobject;
 type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
 type rtc_device, dev_type;
-type vd_device, dev_type, bdev_type;
+type vd_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type fscklogs, dev_type;
@@ -73,51 +73,51 @@
 type rpmsg_device, dev_type;
 
 # Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
 
 # factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
 
 # System block device mounted on /system.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+type system_block_device, dev_type;
 
 # Recovery block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+type recovery_block_device, dev_type;
 
 # boot block device.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+type boot_block_device, dev_type;
 
 # Userdata block device mounted on /data.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+type userdata_block_device, dev_type;
 
 # Cache block device mounted on /cache.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+type cache_block_device, dev_type;
 
 # Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
 
 # Metadata block device used for encryption metadata.
 # Assign this type to the partition specified by the encryptable=
 # mount option in your fstab file in the entry for userdata.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+type metadata_block_device, dev_type;
 
 # The 'misc' partition used by recovery and A/B.
 # Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+type misc_block_device, dev_type;
 
 # 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
 
 # sdcard devices; normally vold uses the vold_block_device label and creates a
 # separate device node. gsid, however, accesses the original devide node
 # created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
+type sdcard_block_device, dev_type;
 
 # Userdata device file for filesystem tunables
 type userdata_sysdev, dev_type;

public/file.te

diff --git a/public/file.te b/public/file.te
index 0b94e2e..ffcfd2b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -88,11 +88,10 @@
 type sysfs_android_usb, fs_type, sysfs_type;
 type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_devfreq_cur, fs_type, sysfs_type;
 type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type, sysfs_block_type;
+type sysfs_devices_block, fs_type, sysfs_type;
 type sysfs_dm, fs_type, sysfs_type;
 type sysfs_dm_verity, fs_type, sysfs_type;
 type sysfs_dma_heap, fs_type, sysfs_type;

public/shell.te

diff --git a/public/shell.te b/public/shell.te
index 5fd9079..7751d63 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -157,9 +157,6 @@
 allow shell sysfs_batteryinfo:dir r_dir_perms;
 allow shell sysfs_batteryinfo:file r_file_perms;
 
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;