seapp_context: explicitly label all seapp context files
seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.
Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check --abi \
arm64-v8a --module CtsSecurityHostTestCases -t \
android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
video
Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/adbd.te b/private/adbd.te
index 2b80281..eb6ae32 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -102,6 +102,7 @@
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 08deeaf..35325f9 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,9 +46,9 @@
/plat_sepolicy\.cil u:object_r:rootfs:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/seapp_contexts u:object_r:rootfs:s0
-/nonplat_seapp_contexts u:object_r:rootfs:s0
-/plat_seapp_contexts u:object_r:rootfs:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:rootfs:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/nonplat_service_contexts u:object_r:service_contexts_file:s0
@@ -252,6 +252,7 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
#############################
# Vendor files
@@ -260,6 +261,7 @@
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
#############################
# OEM and ODM files
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a1951..501581a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@
# resulting process into webview_zygote domain.
init_daemon_domain(webview_zygote)
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@
# Interaction between the webview_zygote and its children.
allow webview_zygote isolated_app:process setpgid;
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(webview_zygote)
# Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec672..15fd951 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@
allow zygote pmsg_device:chr_file getattr;
allow zygote debugfs_trace_marker:file getattr;
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
selinux_check_context(zygote)
# Check SELinux permissions.
diff --git a/public/file.te b/public/file.te
index 385c88b..27937f4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -262,6 +262,9 @@
# property_contexts file
type property_contexts_file, file_type;
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
# service_contexts file
type service_contexts_file, file_type;
diff --git a/public/installd.te b/public/installd.te
index 474ba9c..a85edff 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@
r_dir_file(installd, system_file)
# Get file context
allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
# Search /data/app-asec and stat files in it.
allow installd asec_image_file:dir search;