From 5b4bea438a4bcb7dd49ab022b46884e3f683dc44 Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Thu, 5 Oct 2017 13:50:07 -0700
Subject: [PATCH] Create sysfs_dm label.
Prior to this CL, /sys/devices/virtual/block/dm-X was using the generic
sysfs label. This CL creates sysfs_dm label and grants the following
accesses:
- update_verifier to read sysfs_dm dir and file at
/sys/devices/virtual/block/dm-X.
- vold to write sysfs_dm.
Bug: 63440407
Test: update_verifier successfully triggers blocks verification and
marks a sucessful boot;
Test: No sysfs_dm related denials on sailfish.
Change-Id: I6349412707800f1bd3a2fb94d4fe505558400c95
---
private/compat/26.0/26.0.cil | 2 +-
private/genfs_contexts | 1 +
public/file.te | 1 +
public/update_verifier.te | 11 ++++++++++-
public/vold.te | 1 +
5 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 7246b7f8b..234588a2e 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -564,7 +564,7 @@
(typeattributeset surfaceflinger_26_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_26_0 (sysfs sysfs_dm))
(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6a95ffbdb..563da5d5c 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -62,6 +62,7 @@ genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
diff --git a/public/file.te b/public/file.te
index bcd2fdda9..d79fb6044 100644
--- a/public/file.te
+++ b/public/file.te
@@ -47,6 +47,7 @@ type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 6bba17b76..5d20eca82 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -9,7 +9,16 @@ allow update_verifier block_device:dir search;
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;
-# Read all blocks in dm wrapped system partition.
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
# Write to kernel message.
diff --git a/public/vold.te b/public/vold.te
index a569f9ebd..71932dfc7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -12,6 +12,7 @@ r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
allow vold sysfs:file w_file_perms;
+allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
--
GitLab