From 91d989bca4f4302b5313be43681e3b4fa4db508c Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 12:49:38 +0800 Subject: [PATCH 1/3] review mount and block devices Bug: 196916111 Test: make sure all path under ufs is labeled Change-Id: Ic3e07e7341f838f54c483ab8b272407a70f1f8f2 --- legacy/device.te | 1 - legacy/file_contexts | 34 -------------------- legacy/init.te | 12 ------- legacy/vold.te | 2 -- whitechapel_pro/device.te | 1 + whitechapel_pro/file_contexts | 26 +++++++++++++++ whitechapel_pro/init.te | 13 ++++++++ {legacy => whitechapel_pro}/update_engine.te | 0 whitechapel_pro/vold.te | 3 ++ 9 files changed, 43 insertions(+), 49 deletions(-) rename {legacy => whitechapel_pro}/update_engine.te (100%) create mode 100644 whitechapel_pro/vold.te diff --git a/legacy/device.te b/legacy/device.te index 669892d6..16c05a07 100644 --- a/legacy/device.te +++ b/legacy/device.te @@ -10,7 +10,6 @@ type vendor_m2m1shot_device, dev_type; type vendor_nanohub_device, dev_type; type vendor_secmem_device, dev_type; type vendor_toe_device, dev_type; -type custom_ab_block_device, dev_type; # usbpd type logbuffer_device, dev_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index 1a683e76..f3fd4f09 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -31,40 +31,6 @@ # # Exynos Block Devices # -/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/fat u:object_r:fat_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor u:object_r:vendor_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 # diff --git a/legacy/init.te b/legacy/init.te index d61ea4bb..5b0f7a7b 100644 --- a/legacy/init.te +++ b/legacy/init.te @@ -1,15 +1,3 @@ -allow init custom_ab_block_device:lnk_file relabelto; - -# This is needed for chaining a boot partition vbmeta -# descriptor, where init will probe the boot partition -# to read the chained vbmeta in the first-stage, then -# relabel /dev/block/by-name/boot_[a|b] to block_device -# after loading sepolicy in the second stage. -allow init boot_block_device:lnk_file relabelto; - -allow init persist_file:dir mounton; -allow init modem_efs_file:dir mounton; -allow init modem_userdata_file:dir mounton; allow init ram_device:blk_file w_file_perms; allow init per_boot_file:file ioctl; allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; diff --git a/legacy/vold.te b/legacy/vold.te index ecea1946..79bec3d2 100644 --- a/legacy/vold.te +++ b/legacy/vold.te @@ -1,6 +1,4 @@ allow vold sysfs_scsi_devices_0000:file rw_file_perms; -allow vold modem_efs_file:dir rw_dir_perms; -allow vold modem_userdata_file:dir rw_dir_perms; dontaudit vold dumpstate:fifo_file rw_file_perms; dontaudit vold dumpstate:fd { use }; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 5140108b..3b5feaf5 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -1,3 +1,4 @@ type sda_block_device, dev_type, bdev_type; type devinfo_block_device, dev_type, bdev_type; type modem_block_device, dev_type, bdev_type; +type custom_ab_block_device, dev_type, bdev_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index 4f32b619..ca65d1a1 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -21,8 +21,34 @@ /dev/umts_router u:object_r:radio_device:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 # Data /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te index d68103af..ed8fc1cf 100644 --- a/whitechapel_pro/init.te +++ b/whitechapel_pro/init.te @@ -1,3 +1,16 @@ allow init modem_img_file:dir mounton; allow init mnt_vendor_file:dir mounton; allow init modem_img_file:filesystem { getattr mount relabelfrom }; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; + diff --git a/legacy/update_engine.te b/whitechapel_pro/update_engine.te similarity index 100% rename from legacy/update_engine.te rename to whitechapel_pro/update_engine.te diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te new file mode 100644 index 00000000..40da1b01 --- /dev/null +++ b/whitechapel_pro/vold.te @@ -0,0 +1,3 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + From a90c8fe1b51e83f2d94226105fac887a2c06fd89 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 13:24:46 +0800 Subject: [PATCH 2/3] review bootdevice_sysdev Bug: 196916111 Test: boot with bootdevice_sysdev labeled Change-Id: I938fe18718356bf4156bb55937528a1ca3e072fb --- legacy/file.te | 2 -- legacy/file_contexts | 5 ----- legacy/vendor_init.te | 1 - {legacy => whitechapel_pro}/bootdevice_sysdev.te | 0 whitechapel_pro/file.te | 1 + whitechapel_pro/file_contexts | 1 + whitechapel_pro/vendor_init.te | 2 ++ 7 files changed, 4 insertions(+), 8 deletions(-) rename {legacy => whitechapel_pro}/bootdevice_sysdev.te (100%) diff --git a/legacy/file.te b/legacy/file.te index f0920be4..4ceeeff7 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -70,8 +70,6 @@ type sysfs_scsi_devices_0000, sysfs_type, fs_type; type debugfs_f2fs, debugfs_type, fs_type; type proc_f2fs, proc_type, fs_type; -type bootdevice_sysdev, dev_type; - # ZRam type per_boot_file, file_type, data_file_type, core_data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index f3fd4f09..c93aa364 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -28,11 +28,6 @@ # Wireless charger HAL /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 -# -# Exynos Block Devices -# -/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 - # # Exynos Devices # diff --git a/legacy/vendor_init.te b/legacy/vendor_init.te index 759fa83d..b2e53a88 100644 --- a/legacy/vendor_init.te +++ b/legacy/vendor_init.te @@ -12,7 +12,6 @@ set_prop(vendor_init, vendor_thermal_prop) allow vendor_init proc_dirty:file w_file_perms; allow vendor_init proc_sched:file write; -allow vendor_init bootdevice_sysdev:file create_file_perms; userdebug_or_eng(` set_prop(vendor_init, logpersistd_logging_prop) diff --git a/legacy/bootdevice_sysdev.te b/whitechapel_pro/bootdevice_sysdev.te similarity index 100% rename from legacy/bootdevice_sysdev.te rename to whitechapel_pro/bootdevice_sysdev.te diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index 07ea9e8b..ed9626b8 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -13,6 +13,7 @@ type vendor_fw_file, vendor_file_type, file_type; # sysfs type sysfs_chosen, sysfs_type, fs_type; type sysfs_ota, sysfs_type, fs_type; +type bootdevice_sysdev, dev_type; # vendor extra images type modem_img_file, contextmount_type, file_type, vendor_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index ca65d1a1..c61ab7fd 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -19,6 +19,7 @@ /dev/umts_rfs0 u:object_r:radio_device:s0 /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 /dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te index 4218745a..250d228e 100644 --- a/whitechapel_pro/vendor_init.te +++ b/whitechapel_pro/vendor_init.te @@ -1 +1,3 @@ +allow vendor_init bootdevice_sysdev:file create_file_perms; + set_prop(vendor_init, vendor_cbd_prop) From ff91ffd98ab2b31533a71fff4d3379378e9db067 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Thu, 2 Sep 2021 14:48:13 +0800 Subject: [PATCH 3/3] review rfsd Bug: 198532074 Test: boot with rfsd started Change-Id: I183c75b5fad35eec56fbca693896c94f7a1ca410 --- legacy/file.te | 4 ---- legacy/file_contexts | 6 ------ whitechapel_pro/file.te | 2 ++ whitechapel_pro/file_contexts | 2 ++ {legacy => whitechapel_pro}/rfsd.te | 3 --- 5 files changed, 4 insertions(+), 13 deletions(-) rename {legacy => whitechapel_pro}/rfsd.te (93%) diff --git a/legacy/file.te b/legacy/file.te index 4ceeeff7..e55ad46a 100644 --- a/legacy/file.te +++ b/legacy/file.te @@ -3,10 +3,6 @@ type vendor_cbd_boot_file, file_type, data_file_type; type vendor_media_data_file, file_type, data_file_type; -# Exynos Log Files -type vendor_log_file, file_type, data_file_type; -type vendor_rfsd_log_file, file_type, data_file_type; - # app data files type vendor_test_data_file, file_type, data_file_type; type vendor_telephony_data_file, file_type, data_file_type; diff --git a/legacy/file_contexts b/legacy/file_contexts index c93aa364..cc277636 100644 --- a/legacy/file_contexts +++ b/legacy/file_contexts @@ -68,12 +68,6 @@ /(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 /(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 -# -# Exynos Log Files -# -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 - /persist/sensorcal\.json u:object_r:sensors_cal_file:s0 # data files diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te index ed9626b8..75fd4eed 100644 --- a/whitechapel_pro/file.te +++ b/whitechapel_pro/file.te @@ -1,4 +1,6 @@ # Data +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_slog_file, file_type, data_file_type; type radio_vendor_data_file, file_type, data_file_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index c61ab7fd..0787e3de 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -55,6 +55,8 @@ /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 /data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 /data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 # Persist /mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 diff --git a/legacy/rfsd.te b/whitechapel_pro/rfsd.te similarity index 93% rename from legacy/rfsd.te rename to whitechapel_pro/rfsd.te index 2f7102fc..898e7fca 100644 --- a/legacy/rfsd.te +++ b/whitechapel_pro/rfsd.te @@ -2,9 +2,6 @@ type rfsd, domain; type rfsd_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(rfsd) -# Allow to setuid from root to radio -allow rfsd self:capability { chown setuid }; - # Allow to search block device and mnt dir for modem EFS partitions allow rfsd mnt_vendor_file:dir search; allow rfsd block_device:dir search;