sepolicy: make exec_types in /vendor a subset of vendor_file_type

We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-04-10 13:03:28 -07:00 · 2017-04-10 13:03:28 -07:00 · 2ee66e7d14
commit 2ee66e7d14
parent c051300e5e
33 changed files with 33 additions and 33 deletions
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@ -1,6 +1,6 @@
 # mediacodec - audio and video codecs live here
 type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;

 typeattribute mediacodec mlstrustedsubject;

--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@ -1,7 +1,7 @@
 type hal_audio_default, domain;
 hal_server_domain(hal_audio_default, hal_audio)

-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_audio_default)

 hal_client_domain(hal_audio_default, hal_allocator)
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@ -1,5 +1,5 @@
 type hal_bluetooth_default, domain;
 hal_server_domain(hal_bluetooth_default, hal_bluetooth)

-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@ -2,5 +2,5 @@
 type hal_bootctl_default, domain;
 hal_server_domain(hal_bootctl_default, hal_bootctl)

-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bootctl_default)
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@ -1,7 +1,7 @@
 type hal_camera_default, domain;
 hal_server_domain(hal_camera_default, hal_camera)

-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)

 # TODO (b/36601397) move hal_camera's data file to
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@ -1,5 +1,5 @@
 type hal_configstore_default, domain;
 hal_server_domain(hal_configstore_default, hal_configstore)

-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_configstore_default)
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@ -1,5 +1,5 @@
 type hal_contexthub_default, domain;
 hal_server_domain(hal_contexthub_default, hal_contexthub)

-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_contexthub_default)
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@ -1,7 +1,7 @@
 type hal_drm_default, domain;
 hal_server_domain(hal_drm_default, hal_drm)

-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_default)

 allow hal_drm_default mediacodec:fd use;
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@ -1,5 +1,5 @@
 type hal_dumpstate_default, domain;
 hal_server_domain(hal_dumpstate_default, hal_dumpstate)

-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_dumpstate_default)
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@ -1,7 +1,7 @@
 type hal_fingerprint_default, domain;
 hal_server_domain(hal_fingerprint_default, hal_fingerprint)

-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_fingerprint_default)

 # TODO (b/36644492) move hal_fingerprint's data file to
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@ -1,5 +1,5 @@
 type hal_gatekeeper_default, domain;
 hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)

-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gatekeeper_default);
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@ -1,7 +1,7 @@
 type hal_gnss_default, domain;
 hal_server_domain(hal_gnss_default, hal_gnss)

-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gnss_default)

 # Read access to system files for HALs in
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@ -1,5 +1,5 @@
 type hal_graphics_allocator_default, domain;
 hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)

-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@ -1,5 +1,5 @@
 type hal_graphics_composer_default, domain;
 hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)

-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@ -2,5 +2,5 @@
 type hal_health_default, domain;
 hal_server_domain(hal_health_default, hal_health)

-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_health_default)
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@ -1,5 +1,5 @@
 type hal_ir_default, domain;
 hal_server_domain(hal_ir_default, hal_ir)

-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_ir_default)
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@ -1,5 +1,5 @@
 type hal_keymaster_default, domain;
 hal_server_domain(hal_keymaster_default, hal_keymaster)

-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_keymaster_default)
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@ -1,5 +1,5 @@
 type hal_light_default, domain;
 hal_server_domain(hal_light_default, hal_light)

-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_light_default)
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@ -1,5 +1,5 @@
 type hal_memtrack_default, domain;
 hal_server_domain(hal_memtrack_default, hal_memtrack)

-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_memtrack_default)
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@ -1,7 +1,7 @@
 type hal_nfc_default, domain;
 hal_server_domain(hal_nfc_default, hal_nfc)

-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_nfc_default)

 # TODO (b/36645109) Remove hal_nfc's access to the nfc app's
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@ -1,5 +1,5 @@
 type hal_power_default, domain;
 hal_server_domain(hal_power_default, hal_power)

-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_power_default)
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@ -1,5 +1,5 @@
 type hal_sensors_default, domain;
 hal_server_domain(hal_sensors_default, hal_sensors)

-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_sensors_default)
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@ -1,5 +1,5 @@
 type hal_thermal_default, domain;
 hal_server_domain(hal_thermal_default, hal_thermal)

-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
 init_daemon_domain(hal_thermal_default)
--- a/vendor/hal_tv_input_default.te
+++ b/vendor/hal_tv_input_default.te
@ -1,6 +1,6 @@
 type hal_tv_input_default, domain;
 hal_server_domain(hal_tv_input_default, hal_tv_input)

-type hal_tv_input_default_exec, exec_type, file_type;
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_tv_input_default)

--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@ -1,5 +1,5 @@
 type hal_usb_default, domain;
 hal_server_domain(hal_usb_default, hal_usb)

-type hal_usb_default_exec, exec_type, file_type;
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_usb_default)
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@ -1,5 +1,5 @@
 type hal_vibrator_default, domain;
 hal_server_domain(hal_vibrator_default, hal_vibrator)

-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_vibrator_default)
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@ -1,5 +1,5 @@
 type hal_vr_default, domain;
 hal_server_domain(hal_vr_default, hal_vr)

-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_vr_default)
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@ -1,5 +1,5 @@
 type hal_wifi_default, domain;
 hal_server_domain(hal_wifi_default, hal_wifi)

-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_wifi_default)
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@ -1,7 +1,7 @@
 # wpa supplicant or equivalent
 type hal_wifi_supplicant_default, domain;
 hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, file_type;
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_wifi_supplicant_default)

 net_domain(hal_wifi_supplicant_default)
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@ -1,6 +1,6 @@
 # userspace wifi access points
 type hostapd, domain;
-type hostapd_exec, exec_type, file_type;
+type hostapd_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(hostapd)

--- a/vendor/rild.te
+++ b/vendor/rild.te
@ -1,6 +1,6 @@
 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
-type rild_exec, exec_type, file_type;
+type rild_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(rild)

 # TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
--- a/vendor/tee.te
+++ b/vendor/tee.te
@ -3,7 +3,7 @@
 #
 typeattribute tee domain_deprecated;

-type tee_exec, exec_type, file_type;
+type tee_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(tee)

 allow tee self:capability { dac_override };
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@ -1,5 +1,5 @@
 # vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, file_type;
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(vndservicemanager);