Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / ec50aa5180893b1c4ac4773f1362b0b36e890fb6^! / . / private
commitec50aa5180893b1c4ac4773f1362b0b36e890fb6[log] [tgz]
authorBart Van Assche <bvanassche@google.com>Fri Aug 06 10:50:25 2021 -0700
committerBart Van Assche <bvanassche@google.com>Mon Aug 09 13:46:41 2021 -0700
treeec53a0f4a06b3b2229750c06d6d62f0512df4631
parent996da475a1e112ec363c7540a585a8a1bad646d0 [diff]
Allow the init and apexd processes to read all block device properties

Addressing b/194450129 requires configuring the I/O scheduler and the
queue depth of loop devices. Doing this in a generic way requires
iterating over the block devices under /sys/class/block and also to
examine the properties of the boot device (/dev/sda). Hence this patch
that allows 'init' and 'apexd' to read the properties of all block
devices. The patch that configures the queue depth is available at
https://android-review.googlesource.com/c/platform/system/core/+/1783847.

Test: Built Android images, installed these on an Android device and verified that modified init and apexd processes do not trigger any SELinux complaints.
Change-Id: Icb62449fe0d21b3790198768a2bb8e808c7b968e
Signed-off-by: Bart Van Assche <bvanassche@google.com>

diff --git a/private/apexd.te b/private/apexd.te
index d9017cb..3213241 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -43,8 +43,9 @@
   BLKFLSBUF
   LOOP_CONFIGURE
 };
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd bdev_type:dir r_dir_perms;
+allow apexd bdev_type:blk_file getattr;
 
 #allow apexd to access virtual disks
 allow apexd vd_device:blk_file r_file_perms;
@@ -98,6 +99,8 @@
 
 # /sys directory tree traversal
 allow apexd sysfs_type:dir search;
+allow apexd sysfs_block_type:dir r_dir_perms;
+allow apexd sysfs_block_type:file r_file_perms;
 # Configure read-ahead of dm-verity and loop devices
 # for dm-X
 allow apexd sysfs_dm:dir r_dir_perms;

diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 0eb5e64..f8696f8 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil

@@ -126,6 +126,7 @@
     snapuserd_socket
     soc_prop
     speech_recognition_service
+    sysfs_block
     sysfs_devfreq_cur
     sysfs_devfreq_dir
     sysfs_devices_cs_etm

diff --git a/private/genfs_contexts b/private/genfs_contexts
index 8af6198..906dee9 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -118,6 +118,7 @@
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/block                       u:object_r:sysfs_block:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0

diff --git a/private/init.te b/private/init.te
index b7b3f38..f569e0c 100644
--- a/private/init.te
+++ b/private/init.te

@@ -42,6 +42,12 @@
 allow init sysfs_loop:dir r_dir_perms;
 allow init sysfs_loop:file rw_file_perms;
 
+# Allow init to examine the properties of block devices.
+allow init sysfs_block_type:file { getattr read };
+# Allow init access /dev/block
+allow init bdev_type:dir r_dir_perms;
+allow init bdev_type:blk_file getattr;
+
 # Allow init to write to the drop_caches file.
 allow init proc_drop_caches:file rw_file_perms;