Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a0f998e6deffa4bec30f5e13d7baee266dda3809^! / . / private
commita0f998e6deffa4bec30f5e13d7baee266dda3809[log] [tgz]
authorJiyong Park <jiyong@google.com>Fri Mar 15 02:45:33 2019 +0900
committerJiyong Park <jiyong@google.com>Thu Apr 11 09:51:38 2019 +0900
tree605e22d6f7600f8c1e87e1d7366d09e55b6491b4
parent4f81c8771b84f1039b7f1c2765dd260b591fa7e0 [diff]
Allow bootstrap bionic only to init, ueventd, and apexd

The bootstrap bionic (/system/lib/bootstrap/*) are only to the early
processes that are executed before the bionic libraries become available
via the runtime APEX. Allowing them to other processes is not needed and
sometimes causes a problem like b/123183824.

Bug: 123183824
Test: device boots to the UI
Test: atest CtsJniTestCases:android.jni.cts.JniStaticTest#test_linker_namespaces
Change-Id: Id7bba2e8ed1c9faf6aa85dbbdd89add04826b160

diff --git a/private/apexd.te b/private/apexd.te
index 6066fd6..b3aabea 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -93,6 +93,10 @@
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };
 
+# apexd is using bootstrap bionic
+allow apexd system_bootstrap_lib_file:dir r_dir_perms;
+allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+
 # Allow transition to ART APEX preinstall domain.
 domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
 # Allow transition to ART APEX postinstall domain.

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index d47c771..45e1dd9 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil

@@ -160,6 +160,7 @@
     super_block_device
     sysfs_fs_ext4_features
     system_boot_reason_prop
+    system_bootstrap_lib_file
     system_lmk_prop
     system_net_netd_hwservice
     system_update_service

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index b39dd4b..0e830f8 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil

@@ -146,6 +146,7 @@
     super_block_device
     staging_data_file
     system_boot_reason_prop
+    system_bootstrap_lib_file
     system_lmk_prop
     system_update_service
     test_boot_reason_prop

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 1496469..2ea4d2c 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -121,6 +121,7 @@
     su_tmpfs
     super_block_device
     sysfs_fs_f2fs
+    system_bootstrap_lib_file
     system_event_log_tags_file
     system_lmk_prop
     system_suspend_hwservice

diff --git a/private/file_contexts b/private/file_contexts
index c8c881d..7cbb623 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -180,6 +180,7 @@
 #
 /system(/.*)?		u:object_r:system_file:s0
 /system/lib(64)?(/.*)?		u:object_r:system_lib_file:s0
+/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
 /system/bin/atrace	u:object_r:atrace_exec:s0
 /system/bin/ashmemd	u:object_r:ashmemd_exec:s0
 /system/bin/auditctl	u:object_r:auditctl_exec:s0