Skip to content

Commit

Permalink
sepolicy: Add sdcard_posix_contextmount_type attribute
Browse files Browse the repository at this point in the history 
* Since we can't use contextmount_type for sdcard_posix
  due to contextmount_type being read only by design we
  need to declare our own attribute to bypass relabelto
  neverallow. That way we can mount external ext4/f2fs
  SD with sdcard_posix context and write permissions.

Test: m -j selinux_policy
Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c
  • Loading branch information
@luk1337 @afterallafk
luk1337 authored and afterallafk committed Mar 28, 2024
1 parent 4f98f58 commit 1c83025
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 2 deletions.
3 changes: 3 additions & 0 deletions prebuilts/api/34.0/public/attributes
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ attribute contextmount_type;
# example.
attribute fusefs_type;

# All types used for sdcard_posix context= mounts.
attribute sdcard_posix_contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
Expand Down
2 changes: 1 addition & 1 deletion prebuilts/api/34.0/public/domain.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -492,7 +492,7 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app

# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
neverallow * {fs_type -contextmount_type}:filesystem relabelto;
neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;

# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
Expand Down
3 changes: 3 additions & 0 deletions public/attributes
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ attribute contextmount_type;
# example.
attribute fusefs_type;

# All types used for sdcard_posix context= mounts.
attribute sdcard_posix_contextmount_type;

# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
Expand Down
2 changes: 1 addition & 1 deletion public/domain.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -503,7 +503,7 @@ neverallow { domain -recovery } rootfs:file { create write setattr relabelto app

# Restrict context mounts to specific types marked with
# the contextmount_type attribute.
neverallow * {fs_type -contextmount_type}:filesystem relabelto;
neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;

# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
Expand Down

0 comments on commit 1c83025

Please sign in to comment.