Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 806898db48a6c00dea576fdce07420018d7eecf3^! / . / private / compat
commit806898db48a6c00dea576fdce07420018d7eecf3[log] [tgz]
authorYi-Yo Chiang <yochiang@google.com>Mon Mar 22 13:46:12 2021 +0800
committerYo Chiang <yochiang@google.com>Mon Mar 29 03:09:35 2021 +0000
tree3ad92870445f00382db773bfea14f9d06d49249f
parent9f3fe38950236e59fa2791df6f407810c6d2a4f0 [diff]
Split gsi_metadata_file and add gsi_metadata_file_type attribute

Split gsi_metadata_file into gsi_metadata_file plus
gsi_public_metadata_file, and add gsi_metadata_file_type attribute.
Files that are okay to be publicly readable are labeled with
gsi_public_metadata_file. Right now only files needed to infer the
device fstab belong to this label.
The difference between gsi_metadata_file and gsi_public_metadata_file is
that gsi_public_metadata_file has relaxed neverallow rules, so processes
who wish to read the fstab can add the respective allow rules to their
policy files.
Allow gsid to restorecon on gsi_metadata_file to fix the file context of
gsi_public_metadata_file.

Bug: 181110285
Test: Build pass
Test: Issue a DSU installation then verify no DSU related denials and
  files under /metadata/gsi/ are labeled correctly.
Change-Id: I54a5fe734dd345e28fd8c0874d5fceaf80ab8c11

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index d24d12d..e7ddf48 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -61,6 +61,7 @@
     gpuservice
     gsi_data_file
     gsi_metadata_file
+    gsi_public_metadata_file
     gsi_service
     gsid
     gsid_exec

diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
index 73374e6..2b2b04a 100644
--- a/private/compat/30.0/30.0.cil
+++ b/private/compat/30.0/30.0.cil

@@ -1482,7 +1482,9 @@
 (typeattributeset graphics_device_30_0 (graphics_device))
 (typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
 (typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0 (gsi_metadata_file))
+(typeattributeset gsi_metadata_file_30_0
+  ( gsi_metadata_file
+    gsi_public_metadata_file))
 (typeattributeset gsid_prop_30_0 (gsid_prop))
 (typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
 (typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))