mac_permissions: explicitly label all mac_permissions files
*mac_permissions.xml files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' or 'rootfs' label.
Bug: 36003167
Test: no new 'mac_perms_file' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
video
Change-Id: I1c882872bb78d1242ba273756ef0dc27487f58fc
Signed-off-by: Sandeep Patil <sspatil@google.com>
diff --git a/private/file_contexts b/private/file_contexts
index 4735191..6687144 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -249,6 +249,7 @@
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/vr_wm u:object_r:vr_wm_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_mac_permissions.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
@@ -261,6 +262,7 @@
#
/vendor(/.*)? u:object_r:system_file:s0
/vendor/etc/selinux/mapping_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
/vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0
/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0