Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f497d0b7f442050ae319bd20e354d601d2ed5445^1..f497d0b7f442050ae319bd20e354d601d2ed5445 / .
commitf497d0b7f442050ae319bd20e354d601d2ed5445[log] [tgz]
authorTreeHugger Robot <treehugger-gerrit@google.com>Fri Apr 07 16:02:11 2017 +0000
committerAndroid (Google) Code Review <android-gerrit@google.com>Fri Apr 07 16:02:12 2017 +0000
tree08fc280d8d3db85db52e49dcdb33033f3c7f4f94
parent42424f13e5e222267138155dc42cde7f50ec9665 [diff]
parentcf741dd7ff562041d1cc5ed8a5cd0969ff03f200 [diff]
Merge changes from topic 'vnd-sepol' into oc-dev

* changes:
  Allow 'su' domain access to vndbinder.
  Modify checkfc to check (vnd|hw)service_manager_type.

diff --git a/Android.mk b/Android.mk
index 3f691e9..04379ed 100644
--- a/Android.mk
+++ b/Android.mk

@@ -1091,7 +1091,7 @@
 $(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
 	@mkdir -p $(dir $@)
 	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
-	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -v $(PRIVATE_SEPOLICY) -e $@
 
 vnd_svcfiles :=
 vndservice_contexts.tmp :=

diff --git a/public/su.te b/public/su.te
index 8cb386d..f410c4d 100644
--- a/public/su.te
+++ b/public/su.te

@@ -10,6 +10,9 @@
   # Add su to various domains
   net_domain(su)
 
+  # grant su access to vndbinder
+  vndbinder_use(su)
+
   dontaudit su self:capability_class_set *;
   dontaudit su kernel:security *;
   dontaudit su kernel:system *;
@@ -34,6 +37,8 @@
   dontaudit su property_type:property_service *;
   dontaudit su property_type:file *;
   dontaudit su service_manager_type:service_manager *;
+  dontaudit su hwservice_manager_type:hwservice_manager *;
+  dontaudit su vndservice_manager_type:vndservice_manager *;
   dontaudit su servicemanager:service_manager list;
   dontaudit su keystore:keystore_key *;
   dontaudit su domain:drmservice *;

diff --git a/tools/checkfc.c b/tools/checkfc.c
index 8a28f3c..9cbd912 100644
--- a/tools/checkfc.c
+++ b/tools/checkfc.c

@@ -15,12 +15,16 @@
 static const char * const CHECK_FC_ASSERT_ATTRS[] = { "fs_type", "dev_type", "file_type", NULL };
 static const char * const CHECK_PC_ASSERT_ATTRS[] = { "property_type", NULL };
 static const char * const CHECK_SC_ASSERT_ATTRS[] = { "service_manager_type", NULL };
+static const char * const CHECK_HW_SC_ASSERT_ATTRS[] = { "hwservice_manager_type", NULL };
+static const char * const CHECK_VND_SC_ASSERT_ATTRS[] = { "vndservice_manager_type", NULL };
 
 typedef enum filemode filemode;
 enum filemode {
     filemode_file_contexts = 0,
     filemode_property_contexts,
-    filemode_service_contexts
+    filemode_service_contexts,
+    filemode_hw_service_contexts,
+    filemode_vendor_service_contexts
 };
 
 static struct {
@@ -55,6 +59,10 @@
         return CHECK_PC_ASSERT_ATTRS;
     case filemode_service_contexts:
         return CHECK_SC_ASSERT_ATTRS;
+    case filemode_hw_service_contexts:
+        return CHECK_HW_SC_ASSERT_ATTRS;
+    case filemode_vendor_service_contexts:
+        return CHECK_VND_SC_ASSERT_ATTRS;
     }
     /* die on invalid parameters */
     fprintf(stderr, "Error: Invalid mode of operation: %d\n", mode);
@@ -185,10 +193,13 @@
 }
 
 static void usage(char *name) {
-    fprintf(stderr, "usage1:  %s [-p|-s] [-e] sepolicy context_file\n\n"
+    fprintf(stderr, "usage1:  %s [-l|-p|-s|-v] [-e] sepolicy context_file\n\n"
         "Parses a context file and checks for syntax errors.\n"
-        "The context_file is assumed to be a file_contexts file\n"
-        "unless the -p or -s option is used to indicate the property or service backend respectively.\n"
+        "If -p is specified, the property backend is used.\n"
+        "If -s is specified, the service backend is used to verify binder services.\n"
+        "If -l is specified, the service backend is used to verify hwbinder services.\n"
+        "If -v is specified, the service backend is used to verify vndbinder services.\n"
+        "Otherwise, context_file is assumed to be a file_contexts file\n"
         "If -e is specified, then the context_file is allowed to be empty.\n\n"
 
         "usage2:  %s -c file_contexts1 file_contexts2\n\n"
@@ -332,7 +343,7 @@
 
   filemode mode = filemode_file_contexts;
 
-  while ((c = getopt(argc, argv, "cpse")) != -1) {
+  while ((c = getopt(argc, argv, "clpsve")) != -1) {
     switch (c) {
       case 'c':
         compare = true;
@@ -348,6 +359,14 @@
         mode = filemode_service_contexts;
         backend = SELABEL_CTX_ANDROID_SERVICE;
         break;
+      case 'l':
+        mode = filemode_hw_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
+      case 'v':
+        mode = filemode_vendor_service_contexts;
+        backend = SELABEL_CTX_ANDROID_SERVICE;
+        break;
       case 'h':
       default:
         usage(argv[0]);