Fix preinstalled app partition check am: e7d2d82bbb am: 066e9c5d2a am: 1847b12d43 am: ba4c95392d

Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2672475

Change-Id: I6ec3ee9c8188d6bfac3e97fe3eb08ac8a2ed5677
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

libselinux/src/android/android_seapp.c

@@ -702,9 +702,10 @@ static bool is_platform(const char *partition) {
 	return false;
 }
 
-static bool check_preinstalled_app_partition(const char *spec, const char *app) {
+static bool is_preinstalled_app_partition_valid(const char *app_policy, const char *app_partition) {
 	// We forbid system/system_ext/product installed apps from being labeled with vendor sepolicy.
-	return !is_platform(spec) && is_platform(app);
+	// So, either the app shouldn't be platform, or the spec should be platform.
+	return !(is_platform(app_partition) && !is_platform(app_policy));
 }
 
 
@@ -896,14 +897,6 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		}
 
 		if (cur->levelFrom != LEVELFROM_NONE) {
-			if (isPreinstalledApp
-					&& !check_preinstalled_app_partition(cur->partition, partition)) {
-				// TODO(b/280547417): make this an error after fixing violations
-				selinux_log(SELINUX_ERROR,
-					"%s:  App %s preinstalled to %s can't be labeled with %s sepolicy",
-					__FUNCTION__, pkgname, partition, cur->partition);
-			}
-
 			int res = set_range_from_level(ctx, cur->levelFrom, userid, appid);
 			if (res != 0) {
 				return res;
@@ -913,6 +906,14 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 				goto oom;
 		}
 
+		if (isPreinstalledApp
+				&& !is_preinstalled_app_partition_valid(cur->partition, partition)) {
+			// TODO(b/280547417): make this an error after fixing violations
+			selinux_log(SELINUX_ERROR,
+				"%s:  App %s preinstalled to %s can't be labeled with %s sepolicy",
+				__FUNCTION__, pkgname, partition, cur->partition);
+		}
+
 		break;
 	}