convert-to-ext4-sh.te: use su domain instead
07af2808d5 (b/239632964) added
security policy support for /system_ext/bin/convert_to_ext4.sh.
This shell script converts f2fs filesystems into ext4 filesystems
on debuggable builds (userdebug or eng) only. Ever since 2022,
the security policy for this shell script has been in permissive
mode, meaning no SELinux rules were being enforced.
# convert-to-ext4-sh.te
permissive convert-to-ext4-sh;
In the intervening 2 years, there has been no attempt to move
this domain into enforcing mode. And by now, this script has
likely served its purpose, by converting f2fs /persist filesystems
on engineering builds to ext4, and is probably no longer needed.
This change eliminates the use of the unenforced convert-to-ext4-sh
security domain, preferring instead to use the "su" security domain.
Like convert-to-ext4-sh, the su security domain enforces no rules
on debuggable builds, and is equivalent to traditional root on
desktop Linux systems, or running /system/xbin/su. This change
eliminates unnecessary technical complexity, and unblocks other
hardening changes, such as WIP commit
https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856
Moving from one permissive domain ("convert-to-ext4-sh") to another
permissive domain ("su") should be a no-op from a security and
functionality perspective.
Test: compiles and builds, passes treehugger.
Bug: 239632964
Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871bThis commit is contained in:
Nick Kralevich
parent
06ca871143
commit
588e82af38
3 changed files with 14 additions and 34 deletions
|
|
@ -1,34 +0,0 @@
|
|||
type convert-to-ext4-sh, domain, coredomain;
|
||||
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
userdebug_or_eng(`
|
||||
permissive convert-to-ext4-sh;
|
||||
|
||||
init_daemon_domain(convert-to-ext4-sh)
|
||||
|
||||
allow convert-to-ext4-sh block_device:dir search;
|
||||
allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
|
||||
allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
|
||||
allow convert-to-ext4-sh kernel:process setsched;
|
||||
allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
|
||||
allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
|
||||
allow convert-to-ext4-sh shell_exec:file rx_file_perms;
|
||||
allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
|
||||
allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
|
||||
allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
|
||||
allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
|
||||
allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
|
||||
allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
|
||||
allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
|
||||
allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
|
||||
|
||||
allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
|
||||
BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
|
||||
};
|
||||
|
||||
dontaudit convert-to-ext4-sh labeledfs:filesystem { mount unmount };
|
||||
dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
|
||||
dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
|
||||
dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
|
||||
dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
|
||||
')
|
||||
|
|
@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
|
|||
|
||||
# WLC
|
||||
type sysfs_wlc, sysfs_type, fs_type;
|
||||
|
||||
# /system_ext/bin/convert_to_ext4.sh
|
||||
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
|
||||
|
|
|
|||
|
|
@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
|
|||
# Workaround for b/193113005 that modem_img unlabeled after disable-verity
|
||||
dontaudit init overlayfs_file:file rename;
|
||||
dontaudit init overlayfs_file:chr_file unlink;
|
||||
|
||||
# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
|
||||
# filesystem into an ext4 filesystem. This script is executed on
|
||||
# debuggable devices only. As it is a one-shot script which
|
||||
# has run in permissive mode since 2022, we transition to the
|
||||
# su domain to avoid unnecessarily polluting security policy
|
||||
# with rules which are never enforced.
|
||||
# This script was added in b/239632964
|
||||
userdebug_or_eng(`
|
||||
domain_auto_trans(init, convert-to-ext4-sh_exec, su)
|
||||
')
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue