Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c9cf7361c1f5000834f125d287df8d2708b4d634^! / . / private
commitc9cf7361c1f5000834f125d287df8d2708b4d634[log] [tgz]
authorSandeep Patil <sspatil@google.com>Fri Mar 24 15:02:13 2017 -0700
committerSandeep Patil <sspatil@google.com>Wed Mar 29 10:17:21 2017 -0700
tree57d3bb01add8e0b14e593831f89d12350ae768ec
parent939d16b59f08c083c026899550d0128dfe49072a [diff]
file_context: explicitly label all file context files

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>

diff --git a/private/adbd.te b/private/adbd.te
index 80c6a01..2b80281 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -101,6 +101,7 @@
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

diff --git a/private/file_contexts b/private/file_contexts
index 90df77c..08deeaf 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -38,9 +38,9 @@
 /sdcard             u:object_r:rootfs:s0
 
 # SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
+/file_contexts\.bin     u:object_r:file_contexts_file:s0
+/nonplat_file_contexts  u:object_r:file_contexts_file:s0
+/plat_file_contexts     u:object_r:file_contexts_file:s0
 /mapping_sepolicy\.cil   u:object_r:rootfs:s0
 /nonplat_sepolicy\.cil   u:object_r:rootfs:s0
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
@@ -251,6 +251,7 @@
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 
 #############################
 # Vendor files
@@ -258,6 +259,7 @@
 /vendor(/.*)?		u:object_r:system_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 
 #############################
 # OEM and ODM files

diff --git a/private/system_server.te b/private/system_server.te
index 5aae022..698ae8e 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -230,6 +230,8 @@
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)