Create sysfs_dm label.

Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic sysfs label. This CL creates sysfs_dm label and grants the following accesses: - update_verifier to read sysfs_dm dir and file at /sys/devices/virtual/block/dm-X. - vold to write sysfs_dm. Bug: 63440407 Test: update_verifier successfully triggers blocks verification and marks a sucessful boot; Test: No sysfs_dm related denials on sailfish. Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95

Create sysfs_dm label.
5b4bea43 · Tao Bao · 62d3b4f1 · 5b4bea43 · 5b4bea43 · 5b4bea43
Commit 5b4bea43 authored Oct 5, 2017 by Tao Bao
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -564,7 +564,7 @@
 (typeattributeset surfaceflinger_26_0 (surfaceflinger))
 (typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
 (typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_26_0 (sysfs sysfs_dm))
 (typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
 (typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
 (typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))

--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -62,6 +62,7 @@ genfscon sysfs / u:object_r:sysfs:s0
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/dm-       u:object_r:sysfs_dm:s0
 genfscon sysfs /devices/virtual/block/zram0     u:object_r:sysfs_zram:s0
 genfscon sysfs /devices/virtual/block/zram1     u:object_r:sysfs_zram:s0
 genfscon sysfs /devices/virtual/block/zram0/uevent    u:object_r:sysfs_zram_uevent:s0

--- a/public/file.te
+++ b/public/file.te
@@ -47,6 +47,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_uio, sysfs_type, fs_type;
 type sysfs_batteryinfo, fs_type, sysfs_type;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;

--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -9,7 +9,16 @@ allow update_verifier block_device:dir search;
 allow update_verifier ota_package_file:dir r_dir_perms;
 allow update_verifier ota_package_file:file r_file_perms;
-# Read all blocks in dm wrapped system partition.
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+# Read all blocks in DM wrapped system partition.
 allow update_verifier dm_device:blk_file r_file_perms;
 # Write to kernel message.

--- a/public/vold.te
+++ b/public/vold.te
@@ -12,6 +12,7 @@ r_dir_file(vold, proc_net)
 r_dir_file(vold, sysfs_type)
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file w_file_perms;
+allow vold sysfs_dm:file w_file_perms;
 allow vold sysfs_usb:file w_file_perms;
 allow vold sysfs_zram_uevent:file w_file_perms;