Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b3f2c6245f8f06a9a2fd597223ad9f675c69da4^! / .
commit4b3f2c6245f8f06a9a2fd597223ad9f675c69da4[log] [tgz]
authorJiyong Park <jiyong@google.com>Wed Jan 16 23:35:34 2019 +0900
committerJiyong Park <jiyong@google.com>Thu Jan 31 13:44:21 2019 +0900
tree1787491b6d4adccfe460c25d829f73628213684a
parent48234250f5bc33dd01563969e671af938794b178 [diff]
Label the bootstrap linker and bionic mount points

Bootstap linker has been moved from /system/bin/linker[64] to
/system/bin/bootstrap/linker[64]. Reflect the change in file_contexts.
Existing paths are not removed since the bootstrap linker (or the
linker from the rumtime APEX) will be bind-mounted to the old path by
init.

Also label the files under /bionic which serve as mount points for
either of the bootstrap bionic or the bionic from the runtime APEX.

In addition, read access for the symlinks in /system/lib/*.so and
/system/bin/linker is granted. This is because Bionic files in the paths
are now symlinks to the corresponding mountpoints at /bionic.

Bug: 120266448
Test: device boots to the UI

Change-Id: Iea4d76eb46754b435b6c5428481cd177da8d2ee1

diff --git a/private/file_contexts b/private/file_contexts
index eb45401..d206f2d 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -40,6 +40,10 @@
 /etc                u:object_r:rootfs:s0
 /sdcard             u:object_r:rootfs:s0
 
+/bionic(/.*)?           u:object_r:system_file:s0
+/bionic/lib(64)?(/.*)?  u:object_r:system_lib_file:s0
+/bionic/bin/linker(64)? u:object_r:system_linker_exec:s0
+
 # SELinux policy files
 /vendor_file_contexts   u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
@@ -251,6 +255,7 @@
 /system/bin/healthd     u:object_r:healthd_exec:s0
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
+/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0

diff --git a/public/domain.te b/public/domain.te
index d112003..03e745c 100644
--- a/public/domain.te
+++ b/public/domain.te

@@ -125,6 +125,9 @@
 allow domain system_linker_exec:file { execute read open getattr map };
 allow domain system_linker_config_file:file r_file_perms;
 allow domain system_lib_file:file { execute read open getattr map };
+# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
+allow domain system_linker_exec:lnk_file { read open getattr };
+allow domain system_lib_file:lnk_file { read open getattr };
 
 allow domain system_event_log_tags_file:file r_file_perms;