sepolicy: explicitly label all sepolicy files

sepolicy files need to be explicitly labeled as they are now split cross system and vendor and won't have the generic world readable 'system_file' or 'rootfs' label. Bug: 36527360 Test: no new 'sepolicy_file' denials at boot complete on sailfish Test: successfully booted into recovery without denials and sideloaded OTA update. Test: Launch 'chrome' and succesfully load a website. Test: Launch Camera and take a picture. Test: Launch Camera and record a video, succesfully playback recorded video Change-Id: I6fe8ba31588c2d75521c6e2b0bf7e6d6eaf80a19 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-03-27 11:39:16 -07:00 · 2017-03-27 11:39:16 -07:00 · 136caa1b65
commit 136caa1b65
parent 1e149967a2
3 changed files with 16 additions and 4 deletions
--- a/private/file_contexts
+++ b/private/file_contexts
@ -41,15 +41,15 @@
 /file_contexts\.bin     u:object_r:file_contexts_file:s0
 /nonplat_file_contexts  u:object_r:file_contexts_file:s0
 /plat_file_contexts     u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil   u:object_r:rootfs:s0
-/nonplat_sepolicy\.cil   u:object_r:rootfs:s0
-/plat_sepolicy\.cil      u:object_r:rootfs:s0
+/mapping_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil   u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil      u:object_r:sepolicy_file:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
 /seapp_contexts     u:object_r:seapp_contexts_file:s0
 /nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
-/sepolicy           u:object_r:rootfs:s0
+/sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0

@ -253,15 +253,21 @@
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 /system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_sepolicy.cil.sha256 u:object_r:sepolicy_file:s0

 #############################
 # Vendor files
 #
 /vendor(/.*)?		u:object_r:system_file:s0
+/vendor/etc/selinux/mapping_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 /vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0

 #############################
 # OEM and ODM files
--- a/public/file.te
+++ b/public/file.te
@ -265,6 +265,9 @@ type property_contexts_file, file_type;
 # seapp_contexts file
 type seapp_contexts_file, file_type;

+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
 # service_contexts file
 type service_contexts_file, file_type;

--- a/public/init.te
+++ b/public/init.te
@ -302,6 +302,9 @@ allow init self:process { setexec setfscreate setsockcreate };
 # Get file context
 allow init file_contexts_file:file r_file_perms;

+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
 # Perform SELinux access checks on setting properties.
 selinux_check_access(init)