Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

convert-to-ext4-sh.te: use su domain instead am: 588e82af38

Browse source 
Original change: https://android-review.googlesource.com/c/device/google/gs201-sepolicy/+/3308857

Change-Id: Id2d0ae24894dee7321bbfe5f3ee232acf083a652
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Nick Kralevich 2024-10-15 23:06:48 +00:00 committed by Automerger Merge Worker
commit a37bde70e7
3 changed files with 14 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

34
whitechapel_pro/convert-to-ext4-sh.te
View file

@ -1,34 +0,0 @@
type convert-to-ext4-sh, domain, coredomain;
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
permissive convert-to-ext4-sh;
init_daemon_domain(convert-to-ext4-sh)
allow convert-to-ext4-sh block_device:dir search;
allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
allow convert-to-ext4-sh kernel:process setsched;
allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
allow convert-to-ext4-sh shell_exec:file rx_file_perms;
allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
};
dontaudit convert-to-ext4-sh labeledfs:filesystem { mount unmount };
dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
')

3
whitechapel_pro/file.te
View file

@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
# WLC # WLC
type sysfs_wlc, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type;
# /system_ext/bin/convert_to_ext4.sh
type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;

11
whitechapel_pro/init.te
View file

@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
# Workaround for b/193113005 that modem_img unlabeled after disable-verity # Workaround for b/193113005 that modem_img unlabeled after disable-verity
dontaudit init overlayfs_file:file rename; dontaudit init overlayfs_file:file rename;
dontaudit init overlayfs_file:chr_file unlink; dontaudit init overlayfs_file:chr_file unlink;
# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
# filesystem into an ext4 filesystem. This script is executed on
# debuggable devices only. As it is a one-shot script which
# has run in permissive mode since 2022, we transition to the
# su domain to avoid unnecessarily polluting security policy
# with rules which are never enforced.
# This script was added in b/239632964
userdebug_or_eng(`
domain_auto_trans(init, convert-to-ext4-sh_exec, su)
')