Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1f915b4b13e6d79070661bdbf4627af47aeba3b7^! / . / private
commit1f915b4b13e6d79070661bdbf4627af47aeba3b7[log] [tgz]
authorHåkan Kvist <hakan.kvist@sony.com>Thu Feb 15 08:34:47 2024 +0100
committerHåkan Kvist <hakan.kvist@sony.com>Fri Feb 16 11:08:30 2024 +0100
tree41caa56753b301ad275f1a143ef3c04b6da67f44
parent537a704088eb06f5027b41c565d5bac8b78c0ccc [diff]
label boot animations on oem with bootanim_oem_file

Bootanimation only access boot animation files on oem. Label
these files with bootanim_oem_file and remove oemfs file allow rule.

Also allow mediaserver and app to read this new label as they can access
/oem/media folder.

Bug: 324437684
Test: Confirm that boot animation on oem is shown without violations
Change-Id: I940ccde9391a5daa920f31926d32e68b1de5b7eb

diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil
index 595d53e..7d80433 100644
--- a/private/compat/34.0/34.0.cil
+++ b/private/compat/34.0/34.0.cil

@@ -2099,7 +2099,7 @@
 (typeattributeset null_device_34_0 (null_device))
 (typeattributeset oem_lock_service_34_0 (oem_lock_service))
 (typeattributeset oem_unlock_prop_34_0 (oem_unlock_prop))
-(typeattributeset oemfs_34_0 (oemfs))
+(typeattributeset oemfs_34_0 (oemfs bootanim_oem_file))
 (typeattributeset ondevicepersonalization_system_service_34_0 (ondevicepersonalization_system_service))
 (typeattributeset ota_data_file_34_0 (ota_data_file))
 (typeattributeset ota_metadata_file_34_0 (ota_metadata_file))

diff --git a/private/file_contexts b/private/file_contexts
index 7d9660b..3a65d81 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -457,6 +457,9 @@
 
 /oem(/.*)?              u:object_r:oemfs:s0
 /oem/overlay(/.*)?      u:object_r:vendor_overlay_file:s0
+/oem/media/bootanimation.zip            u:object_r:bootanim_oem_file:s0
+/oem/media/shutdownanimation.zip        u:object_r:bootanim_oem_file:s0
+/oem/media/userspace-reboot.zip         u:object_r:bootanim_oem_file:s0
 
 # The precompiled monolithic sepolicy will be under /odm only when
 # BOARD_USES_ODMIMAGE is true: a separate odm.img is built.

diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 7ad8feb..064d0d9 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te

@@ -73,3 +73,6 @@
 # bpfprog access for FUSE BPF
 allow mediaprovider_app fs_bpf:file read;
 allow mediaprovider_app bpfloader:bpf { map_read map_write prog_run };
+
+# boot animations on oem are stored with specific label
+allow mediaprovider_app bootanim_oem_file:file r_file_perms;