commit 61f8dfa24b0846ae66328891f8facf9e06237c15
author Kouji Shiotani <kouji.shiotani@sony.com> Tue Jun 13 15:40:54 2017 +0900
committer Martijn Coenen <maco@google.com> Tue Jun 20 16:09:09 2017 -0700
tree 35b3e20cab83276111254e8d529d6dc8cfb06274
parent e86f70b474a9007b07fe22d0731d2789a2dc2cc4

Avoid SELinux violation at vndservicemanager

Avoid following SELinux violation.

avc: denied { read } for comm="vndservicemanag"
name="nonplat_service_contexts" dev="rootfs" ino=17045
scontext=u:r:vndservicemanager:s0
tcontext=u:object_r:service_contexts_file:s0 tclass=file permissive=0
ppid=1 pcomm="init" pgid=1 pgcomm="init"

This violation caused by vndservicemanager reading service_contexts at
svcmgr_handler(). In main() loading as well, processing is divided by
the VENDORSERVICEMANAGER flag. Therefore, even in svcmgr_handler(),
processing is divided by flags like main().

Bug: 62562415
Test: mma
Change-Id: I06b0308a80fc6ea1ca57cd10d9555dd269b8e12d

cmds/servicemanager/service_manager.c

diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 45bb1d0..d5cfcaf 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -287,7 +287,11 @@
     }
 
     if (sehandle && selinux_status_updated() > 0) {
+#ifdef VENDORSERVICEMANAGER
+        struct selabel_handle *tmp_sehandle = selinux_android_vendor_service_context_handle();
+#else
         struct selabel_handle *tmp_sehandle = selinux_android_service_context_handle();
+#endif
         if (tmp_sehandle) {
             selabel_close(sehandle);
             sehandle = tmp_sehandle;