588e82af38
07af2808d5 (b/239632964) added
security policy support for /system_ext/bin/convert_to_ext4.sh.
This shell script converts f2fs filesystems into ext4 filesystems
on debuggable builds (userdebug or eng) only. Ever since 2022,
the security policy for this shell script has been in permissive
mode, meaning no SELinux rules were being enforced.
# convert-to-ext4-sh.te
permissive convert-to-ext4-sh;
In the intervening 2 years, there has been no attempt to move
this domain into enforcing mode. And by now, this script has
likely served its purpose, by converting f2fs /persist filesystems
on engineering builds to ext4, and is probably no longer needed.
This change eliminates the use of the unenforced convert-to-ext4-sh
security domain, preferring instead to use the "su" security domain.
Like convert-to-ext4-sh, the su security domain enforces no rules
on debuggable builds, and is equivalent to traditional root on
desktop Linux systems, or running /system/xbin/su. This change
eliminates unnecessary technical complexity, and unblocks other
hardening changes, such as WIP commit
https://android-review.googlesource.com/c/platform/system/sepolicy/+/3308856
Moving from one permissive domain ("convert-to-ext4-sh") to another
permissive domain ("su") should be a no-op from a security and
functionality perspective.
Test: compiles and builds, passes treehugger.
Bug: 239632964
Change-Id: Ifd628310a923926d1a57b568c7703cb857f0871b
32 lines
1.3 KiB
Text
32 lines
1.3 KiB
Text
allow init modem_img_file:dir mounton;
|
|
allow init mnt_vendor_file:dir mounton;
|
|
allow init modem_img_file:filesystem { getattr mount relabelfrom };
|
|
allow init custom_ab_block_device:lnk_file relabelto;
|
|
|
|
# This is needed for chaining a boot partition vbmeta
|
|
# descriptor, where init will probe the boot partition
|
|
# to read the chained vbmeta in the first-stage, then
|
|
# relabel /dev/block/by-name/boot_[a|b] to block_device
|
|
# after loading sepolicy in the second stage.
|
|
allow init boot_block_device:lnk_file relabelto;
|
|
|
|
allow init persist_file:dir mounton;
|
|
allow init modem_efs_file:dir mounton;
|
|
allow init modem_userdata_file:dir mounton;
|
|
allow init ram_device:blk_file w_file_perms;
|
|
allow init sysfs_scsi_devices_0000:file w_file_perms;
|
|
|
|
# Workaround for b/193113005 that modem_img unlabeled after disable-verity
|
|
dontaudit init overlayfs_file:file rename;
|
|
dontaudit init overlayfs_file:chr_file unlink;
|
|
|
|
# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
|
|
# filesystem into an ext4 filesystem. This script is executed on
|
|
# debuggable devices only. As it is a one-shot script which
|
|
# has run in permissive mode since 2022, we transition to the
|
|
# su domain to avoid unnecessarily polluting security policy
|
|
# with rules which are never enforced.
|
|
# This script was added in b/239632964
|
|
userdebug_or_eng(`
|
|
domain_auto_trans(init, convert-to-ext4-sh_exec, su)
|
|
')
|