Merge "Allow domain access r_file_perms for passwd and group files"

private/compat/29.0/29.0.ignore.cil

@@ -11,6 +11,8 @@
     ota_metadata_file
     runtime_apex_dir
     system_ashmem_hwservice
+    system_group_file
+    system_passwd_file
     vendor_apex_file
     wifi_stack
     wifi_stack_service

private/file_contexts

@@ -304,7 +304,9 @@
 /system/bin/hw/android\.system\.suspend@1\.0-service          u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0
 /system/etc/event-log-tags              u:object_r:system_event_log_tags_file:s0
+/system/etc/group                       u:object_r:system_group_file:s0
 /system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
+/system/etc/passwd                      u:object_r:system_passwd_file:s0
 /system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
 /system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
@@ -398,6 +400,8 @@
 # Product files
 #
 /(product|system/product)(/.*)?                                 u:object_r:system_file:s0
+/(product|system/product)/etc/group                             u:object_r:system_group_file:s0
+/(product|system/product)/etc/passwd                            u:object_r:system_passwd_file:s0
 /(product|system/product)/overlay(/.*)?                         u:object_r:vendor_overlay_file:s0
 
 /(product|system/product)/etc/selinux/product_file_contexts      u:object_r:file_contexts_file:s0
@@ -411,6 +415,8 @@
 # SystemExt files
 #
 /(system_ext|system/system_ext)(/.*)?               u:object_r:system_file:s0
+/(system_ext|system/system_ext)/etc/group           u:object_r:system_group_file:s0
+/(system_ext|system/system_ext)/etc/passwd          u:object_r:system_passwd_file:s0
 /(system_ext|system/system_ext)/overlay(/.*)?       u:object_r:vendor_overlay_file:s0
 
 #############################

public/domain.te

@@ -141,10 +141,12 @@ allow domain {
 allow domain system_file:lnk_file { getattr read };
 
 # Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# linker and its config.
+# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
 allow domain system_seccomp_policy_file:file r_file_perms;
 # cacerts are accessible from public Java API.
 allow domain system_security_cacerts_file:file r_file_perms;
+allow domain system_group_file:file r_file_perms;
+allow domain system_passwd_file:file r_file_perms;
 allow domain system_linker_exec:file { execute read open getattr map };
 allow domain system_linker_config_file:file r_file_perms;
 allow domain system_lib_file:file { execute read open getattr map };
@@ -1038,10 +1040,12 @@ full_treble_only(`
     -netutils_wrapper_exec
     -property_contexts_file
     -system_event_log_tags_file
+    -system_group_file
     -system_lib_file
     with_asan(`-system_asan_options_file')
     -system_linker_exec
     -system_linker_config_file
+    -system_passwd_file
     -system_seccomp_policy_file
     -system_security_cacerts_file
     -system_zoneinfo_file

public/file.te

@@ -152,10 +152,14 @@ type system_event_log_tags_file, system_file_type, file_type;
 type system_lib_file, system_file_type, file_type;
 # system libraries that are available only to bootstrap processes
 type system_bootstrap_lib_file, system_file_type, file_type;
+# Default type for the group file /system/etc/group.
+type system_group_file, system_file_type, file_type;
 # Default type for linker executable /system/bin/linker[64].
 type system_linker_exec, system_file_type, file_type;
 # Default type for linker config /system/etc/ld.config.*.
 type system_linker_config_file, system_file_type, file_type;
+# Default type for the passwd file /system/etc/passwd.
+type system_passwd_file, system_file_type, file_type;
 # Default type for linker config /system/etc/seccomp_policy/*.
 type system_seccomp_policy_file, system_file_type, file_type;
 # Default type for cacerts in /system/etc/security/cacerts/*.