Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 277a20ebecda8f9d12a10c4f8eb52dbf04c30e43^! / . / private
commit277a20ebecda8f9d12a10c4f8eb52dbf04c30e43[log] [tgz]
authorSandeep Patil <sspatil@google.com>Sat Apr 01 17:17:12 2017 -0700
committerSandeep Patil <sspatil@google.com>Wed Apr 05 13:58:32 2017 -0700
treef6123ee74800acf7a0670232b55678c9e7d3e87f
parent82071b6859ca2c682178ea4b96323fc980d5101f [diff]
sepolicy: relabel /vendor

The CL splits /vendor labeling from /system. Which was allowing all
processes read, execute access to /vendor.

Following directories will remain world readable
 /vendor/etc
 /vendor/lib(64)/hw/

Following are currently world readable but their scope
will be minimized to platform processes that require access
 /vendor/app
 /vendor/framework/
 /vendor/overlay

Files labelled with 'same_process_hal_file' are allowed to be
read + executed from by the world. This is for Same process HALs and
their dependencies.

Bug: 36527360
Bug: 36832490
Bug: 36681210
Bug: 36680116
Bug: 36690845
Bug: 36697328
Bug: 36696623
Bug: 36806861
Bug: 36656392
Bug: 36696623
Bug: 36792803

All of the tests were done on sailfish, angler, bullhead, dragon
Test: Boot and connect to wifi
Test: Run chrome and load websites, play video in youtube, load maps w/
      current location, take pictures and record video in camera,
      playback recorded video.
Test: Connect to BT headset and ensure BT audio playback works.
Test: OTA sideload using recovery
Test: CTS SELinuxHostTest pass

Change-Id: I278435b72f7551a28f3c229f720ca608b77a7029
Signed-off-by: Sandeep Patil <sspatil@google.com>

diff --git a/private/file_contexts b/private/file_contexts
index 00d0e4c..9feeef9 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -259,7 +259,20 @@
 #############################
 # Vendor files
 #
-/vendor(/.*)?		u:object_r:system_file:s0
+/(vendor|system/vendor)(/.*)?                  u:object_r:vendor_file:s0
+/(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)?          u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)?        u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw            u:object_r:vendor_hal_file:s0
+
 /vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0

diff --git a/private/system_server.te b/private/system_server.te
index 6f19e38..4302343 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -294,6 +294,9 @@
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
 # Manage /data/app-private.
 allow system_server apk_private_data_file:dir create_dir_perms;
 allow system_server apk_private_data_file:file create_file_perms;