service_contexts: label service_contexts explicitly
The label applies to all service_contexts regardless of their location.
This also lets us track the service_contexts usage and limit access to
the files for the corresponding object manager alone.
Bug: 36002427
Test: Boot sailfish and observe no denials for 'serice_contexts'
Test: cts-tradefed run singleCommand cts --skip-device-info \
--skip-preconditions --skip-connectivity-check \
--abi arm64-v8a --module CtsSecurityHostTestCases \
-t android.security.cts.SELinuxHostTest#testAospServiceContexts
Change-Id: I97fc8b24bc99ca5c00d010fb522cd39a35572858
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/file_contexts b/private/file_contexts
index 5c0bc67..90df77c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -50,8 +50,8 @@
/nonplat_seapp_contexts u:object_r:rootfs:s0
/plat_seapp_contexts u:object_r:rootfs:s0
/sepolicy u:object_r:rootfs:s0
-/plat_service_contexts u:object_r:rootfs:s0
-/nonplat_service_contexts u:object_r:rootfs:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/nonplat_service_contexts u:object_r:service_contexts_file:s0
##########################
# Devices
@@ -250,12 +250,14 @@
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
#############################
# Vendor files
#
/vendor(/.*)? u:object_r:system_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
#############################
# OEM and ODM files