commit 3639f57960811d6a41ca1968dea70a4315d5bbec
author Siarhei Vishniakou <svv@google.com> Mon Oct 08 12:04:15 2018 -0700
committer Siarhei Vishniakou <svv@google.com> Fri Oct 12 02:42:09 2018 +0000
tree 263b7ed256648a13b1c77b04f2ac8b6352c863a8
parent 9977e25411969764ac0bab16f7bbb530ee15ccd6

Allow system_server to read vendor_file

Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832

private/compat/28.0/28.0.ignore.cil

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 3404dd5..ee5e3ce 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -49,5 +49,8 @@
     timedetector_service
     timezonedetector_service
     uri_grants_service
+    vendor_idc_file
+    vendor_keychars_file
+    vendor_keylayout_file
     vrflinger_vsync_service
     watchdogd_tmpfs))

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index a70f61b..9046ee1 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -349,6 +349,11 @@
 /(odm|vendor/odm)/overlay(/.*)?               u:object_r:vendor_overlay_file:s0
 /(odm|vendor/odm)/framework(/.*)?             u:object_r:vendor_framework_file:s0
 
+# Input configuration
+/(odm|vendor)/usr/keylayout(/.*)?.kl           u:object_r:vendor_keylayout_file:s0
+/(odm|vendor)/usr/keychars(/.*)?.kcm            u:object_r:vendor_keychars_file:s0
+/(odm|vendor)/usr/idc(/.*)?.idc                 u:object_r:vendor_idc_file:s0
+
 /oem(/.*)?              u:object_r:oemfs:s0
 
 # The precompiled monolithic sepolicy will be under /odm only when

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index e916415..048e5b2 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -352,6 +352,11 @@
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Access input configuration files in the /vendor directory
+r_dir_file(system_server, vendor_keylayout_file)
+r_dir_file(system_server, vendor_keychars_file)
+r_dir_file(system_server, vendor_idc_file)
+
 # Access /vendor/{app,framework,overlay}
 r_dir_file(system_server, vendor_app_file)
 r_dir_file(system_server, vendor_framework_file)

public/file.te

diff --git a/public/file.te b/public/file.te
index 48c2a69..9bf910e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -171,6 +171,11 @@
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
 
+# Input configuration
+type vendor_keylayout_file, vendor_file_type, file_type;
+type vendor_keychars_file, vendor_file_type, file_type;
+type vendor_idc_file, vendor_file_type, file_type;
+
 # /metadata partition itself
 type metadata_file, file_type;
 # Vold files within /metadata