Snap for 12508860 from 5000f8a8f9 to 25Q1-release

Change-Id: I37ca1fe7b3e7e32f95e194b2dd028312d2cfd113

tracking_denials/bug_map

@@ -7,6 +7,7 @@ hal_face_default traced_producer_socket sock_file b/305600808
 hal_graphics_composer_default cgroup_desc_file file b/372359823
 hal_power_default cgroup_desc_file file b/372360278
 hal_power_default hal_power_default capability b/237492146
+hal_sensors_default property_socket sock_file b/373755350
 hal_sensors_default sysfs file b/336451433
 hal_vibrator_default default_android_service service_manager b/360057889
 incidentd debugfs_wakeup_sources file b/282626428

whitechapel_pro/convert-to-ext4-sh.te

@@ -1,34 +0,0 @@
-type convert-to-ext4-sh, domain, coredomain;
-type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
-  permissive convert-to-ext4-sh;
-
-  init_daemon_domain(convert-to-ext4-sh)
-
-  allow convert-to-ext4-sh block_device:dir search;
-  allow convert-to-ext4-sh e2fs_exec:file rx_file_perms;
-  allow convert-to-ext4-sh efs_block_device:blk_file rw_file_perms;
-  allow convert-to-ext4-sh kernel:process setsched;
-  allow convert-to-ext4-sh kmsg_device:chr_file rw_file_perms;
-  allow convert-to-ext4-sh persist_block_device:blk_file { getattr ioctl open read write };
-  allow convert-to-ext4-sh shell_exec:file rx_file_perms;
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:dir { read search };
-  allow convert-to-ext4-sh sysfs_fs_ext4_features:file read;
-  allow convert-to-ext4-sh tmpfs:dir { add_name create mounton open };
-  allow convert-to-ext4-sh tmpfs:dir { remove_name rmdir rw_file_perms setattr };
-  allow convert-to-ext4-sh tmpfs:file { create rw_file_perms unlink };
-  allow convert-to-ext4-sh toolbox_exec:file rx_file_perms;
-  allow convert-to-ext4-sh vendor_persist_type:dir { rw_file_perms search };
-  allow convert-to-ext4-sh vendor_persist_type:file rw_file_perms;
-
-  allowxperm convert-to-ext4-sh { efs_block_device persist_block_device}:blk_file ioctl {
-    BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET LOOP_CLR_FD
-  };
-
-  dontaudit convert-to-ext4-sh labeledfs:filesystem  { mount unmount };
-  dontaudit convert-to-ext4-sh self:capability { chown fowner fsetid dac_read_search sys_admin sys_rawio };
-  dontaudit convert-to-ext4-sh unlabeled:dir { add_name create mounton open rw_file_perms search setattr };
-  dontaudit convert-to-ext4-sh unlabeled:file { create rw_file_perms setattr };
-  dontaudit convert-to-ext4-sh convert-to-ext4-sh:capability { dac_override };
-')

whitechapel_pro/file.te

@@ -93,3 +93,6 @@ type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
 
 # WLC
 type sysfs_wlc, sysfs_type, fs_type;
+
+# /system_ext/bin/convert_to_ext4.sh
+type convert-to-ext4-sh_exec, system_file_type, exec_type, file_type;

whitechapel_pro/init.te

@@ -19,3 +19,14 @@ allow init sysfs_scsi_devices_0000:file w_file_perms;
 # Workaround for b/193113005 that modem_img unlabeled after disable-verity
 dontaudit init overlayfs_file:file rename;
 dontaudit init overlayfs_file:chr_file unlink;
+
+# /system_ext/bin/convert_to_ext4.sh is a script to convert an f2fs
+# filesystem into an ext4 filesystem. This script is executed on
+# debuggable devices only. As it is a one-shot script which
+# has run in permissive mode since 2022, we transition to the
+# su domain to avoid unnecessarily polluting security policy
+# with rules which are never enforced.
+# This script was added in b/239632964
+userdebug_or_eng(`
+  domain_auto_trans(init, convert-to-ext4-sh_exec, su)
+')