sepolicy: Add sdcard_posix_contextmount_type attribute

luk1337 · Michael Bestas · commit c65d07ce3df9 · 2020-12-08T17:55:42.000+02:00
* Since we can't use contextmount_type for sdcard_posix
  due to contextmount_type being read only by design we
  need to declare our own attribute to bypass relabelto
  neverallow. That way we can mount external ext4/f2fs
  SD with sdcard_posix context and write permissions.

Test: m -j selinux_policy
Change-Id: I0dfe49cc0b34dfcce2840198843bde1272cbc61c
diff --git a/prebuilts/api/30.0/public/attributes b/prebuilts/api/30.0/public/attributes
@@ -18,6 +18,9 @@ attribute fs_type;
 # All types used for context= mounts.
 attribute contextmount_type;
 
+# All types used for sdcard_posix context= mounts.
+attribute sdcard_posix_contextmount_type;
+
 # All types used for files that can exist on a labeled fs.
 # Do not use for pseudo file types.
 # On change, update CHECK_FC_ASSERT_ATTRS
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
@@ -494,7 +494,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;
 
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
diff --git a/public/attributes b/public/attributes
@@ -18,6 +18,9 @@ attribute fs_type;
 # All types used for context= mounts.
 attribute contextmount_type;
 
+# All types used for sdcard_posix context= mounts.
+attribute sdcard_posix_contextmount_type;
+
 # All types used for files that can exist on a labeled fs.
 # Do not use for pseudo file types.
 # On change, update CHECK_FC_ASSERT_ATTRS
diff --git a/public/domain.te b/public/domain.te
@@ -494,7 +494,7 @@ neverallow * rootfs:file { create write setattr relabelto append unlink link ren
 
 # Restrict context mounts to specific types marked with
 # the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+neverallow * {fs_type -contextmount_type -sdcard_posix_contextmount_type}:filesystem relabelto;
 
 # Ensure that context mount types are not writable, to ensure that
 # the write to /system restriction above is not bypassed via context=
