Merge "Add vendor_public_framework_file type to SEPolicy" am: 883de3cd2e am: 9a2af4a3ad am: 0460e14939

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1556299

MUST ONLY BE SUBMITTED BY AUTOMERGER

Change-Id: I676e9dc8b95fb1053d9a54c39cc1089c63fd8972

private/compat/29.0/29.0.cil

@@ -1914,7 +1914,9 @@
 (typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
 (typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
 (typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0
+    ( vendor_public_framework_file
+      vendor_public_lib_file))
 (typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
 (typeattributeset vendor_shell_29_0 (vendor_shell))
 (typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))

private/compat/30.0/30.0.cil

@@ -2185,7 +2185,9 @@
 (typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
 (typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
 (typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0 (vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_30_0
+    ( vendor_public_framework_file
+      vendor_public_lib_file))
 (typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
 (typeattributeset vendor_shell_30_0 (vendor_shell))
 (typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))

private/domain.te

@@ -471,6 +471,7 @@ full_treble_only(`
     -vendor_keychars_file
     -vendor_keylayout_file
     -vendor_overlay_file
+    -vendor_public_framework_file
     -vendor_public_lib_file
     -vendor_task_profiles_file
     -vndk_sp_file

public/app.te

@@ -120,8 +120,8 @@ r_dir_file(appdomain, vendor_overlay_file)
 r_dir_file(appdomain, vendor_framework_file)
 
 # Allow apps read / execute access to vendor public libraries.
-allow appdomain vendor_public_lib_file:dir r_dir_perms;
-allow appdomain vendor_public_lib_file:file { execute read open getattr map };
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
+allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
 
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { getattr read write map };

public/domain.te

@@ -987,6 +987,7 @@ full_treble_only(`
       -same_process_hal_file
       -vndk_sp_file
       -vendor_app_file
+      -vendor_public_framework_file
       -vendor_public_lib_file
     }:file execute;
 ')
@@ -1349,7 +1350,7 @@ full_treble_only(`
   neverallow {
     coredomain
     -appdomain
-  } vendor_public_lib_file:file { execute execute_no_trans };
+  } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
 ')
 
 # Vendor domian must not have access to /mnt/product.

public/file.te

@@ -224,6 +224,9 @@ type vendor_overlay_file, vendor_file_type, file_type;
 # Type for all vendor public libraries. These libs should only be exposed to
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
+# Type for all vendor public libraries for system. These libs should only be exposed to
+# system. ABI stability of these libs is vendor's responsibility.
+type vendor_public_framework_file, vendor_file_type, file_type;
 
 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;