From 0c7bc58e91eeda73e24f13735c0205fd3f88f91a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 21 Jan 2016 16:06:33 -0800
Subject: [PATCH] Remove domain_deprecated from sdcard domains
Remove from blkid, blkid_untrusted, fsck, fsck_untrusted, sdcardd and
sgdisk.
Tested by adding external sdcard with and without
"adb shell sm set-force-adoptable true" command.
Address the following denials:
avc: denied { read } for name="swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/swaps" dev="proc" ino=4026536590 scontext=u:r:fsck:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { read } for name="filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { open } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
avc: denied { getattr } for path="/proc/filesystems" dev="proc" ino=4026536591 scontext=u:r:blkid:s0 tcontext=u:object_r:proc:s0 tclass=file
Change-Id: I097e2ba5205e43f8ee613dae063f773a35ce3d73
---
blkid.te | 5 ++++-
blkid_untrusted.te | 2 +-
fsck.te | 4 +++-
fsck_untrusted.te | 2 +-
sdcardd.te | 2 +-
sgdisk.te | 2 +-
6 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/blkid.te b/blkid.te
index 23ce3a9da..7a7e02457 100644
--- a/blkid.te
+++ b/blkid.te
@@ -1,5 +1,5 @@
# blkid called from vold
-type blkid, domain, domain_deprecated;
+type blkid, domain;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
@@ -14,6 +14,9 @@ allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
+# access to /proc/filesystems
+allow blkid proc:file r_file_perms;
+
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition;
diff --git a/blkid_untrusted.te b/blkid_untrusted.te
index 7e53de7ad..df8e447f9 100644
--- a/blkid_untrusted.te
+++ b/blkid_untrusted.te
@@ -1,5 +1,5 @@
# blkid for untrusted block devices
-type blkid_untrusted, domain, domain_deprecated;
+type blkid_untrusted, domain;
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
diff --git a/fsck.te b/fsck.te
index cdf1188aa..ebff968a2 100644
--- a/fsck.te
+++ b/fsck.te
@@ -1,5 +1,5 @@
# Any fsck program run by init
-type fsck, domain, domain_deprecated;
+type fsck, domain;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
@@ -24,6 +24,8 @@ allow fsck dm_device:blk_file rw_file_perms;
# fsck performs a stat() on swap to verify that it is a valid
# swap device before setting the EXT2_MF_SWAP mount flag.
allow fsck swap_block_device:blk_file getattr;
+# access to /proc/swaps
+allow fsck proc:file r_file_perms;
###
### neverallow rules
diff --git a/fsck_untrusted.te b/fsck_untrusted.te
index 4f01db215..67c67b762 100644
--- a/fsck_untrusted.te
+++ b/fsck_untrusted.te
@@ -1,5 +1,5 @@
# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain, domain_deprecated;
+type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
diff --git a/sdcardd.te b/sdcardd.te
index 056e9f829..a6648200e 100644
--- a/sdcardd.te
+++ b/sdcardd.te
@@ -1,4 +1,4 @@
-type sdcardd, domain, domain_deprecated;
+type sdcardd, domain;
type sdcardd_exec, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
diff --git a/sgdisk.te b/sgdisk.te
index b8d6b3ffc..8a689a113 100644
--- a/sgdisk.te
+++ b/sgdisk.te
@@ -1,5 +1,5 @@
# sgdisk called from vold
-type sgdisk, domain, domain_deprecated;
+type sgdisk, domain;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
--
GitLab