diff --git a/Android.mk b/Android.mk index da58e53c9..b941bf370 100644 --- a/Android.mk +++ b/Android.mk @@ -1067,6 +1067,37 @@ nonplat_service_contexts.tmp := ################################## include $(CLEAR_VARS) +LOCAL_MODULE := vndservice_contexts +LOCAL_MODULE_CLASS := ETC +LOCAL_MODULE_TAGS := optional +ifeq ($(PRODUCT_FULL_TREBLE),true) +LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux +else +LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT) +endif + +include $(BUILD_SYSTEM)/base_rules.mk + +vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY)) + +vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp +$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles) +$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS) +$(vndservice_contexts.tmp): $(vnd_svcfiles) + @mkdir -p $(dir $@) + $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@ + +$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy) +$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP) + @mkdir -p $(dir $@) + sed -e 's/#.*$$//' -e '/^$$/d' $< > $@ + $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@ + +vnd_svcfiles := +vndservice_contexts.tmp := +################################## +include $(CLEAR_VARS) + LOCAL_MODULE := plat_mac_permissions.xml LOCAL_MODULE_CLASS := ETC LOCAL_MODULE_TAGS := optional diff --git a/private/file_contexts b/private/file_contexts index 7a52e5cd2..dfc564066 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -52,6 +52,7 @@ /sepolicy u:object_r:sepolicy_file:s0 /plat_service_contexts u:object_r:service_contexts_file:s0 /nonplat_service_contexts u:object_r:service_contexts_file:s0 +/vndservice_contexts u:object_r:vndservice_contexts_file:s0 ########################## # Devices @@ -271,6 +272,7 @@ /vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0 /vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0 /vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0 +/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0 ############################# # OEM and ODM files diff --git a/public/file.te b/public/file.te index f7f91df35..f776ef6e5 100644 --- a/public/file.te +++ b/public/file.te @@ -276,6 +276,9 @@ type sepolicy_file, file_type; # service_contexts file type service_contexts_file, file_type; +# vndservice_contexts file +type vndservice_contexts_file, file_type; + # Allow files to be created in their appropriate filesystems. allow fs_type self:filesystem associate; allow sysfs_type sysfs:filesystem associate; diff --git a/public/servicemanager.te b/public/servicemanager.te index 7ad32fc6d..bba9c6eda 100644 --- a/public/servicemanager.te +++ b/public/servicemanager.te @@ -12,6 +12,8 @@ allow servicemanager self:binder set_context_mgr; allow servicemanager { domain -init }:binder transfer; # Access to all (system and vendor) service_contexts +# TODO(b/36866029) access to nonplat_service_contexts +# should not be allowed on full treble devices allow servicemanager service_contexts_file:file r_file_perms; # Check SELinux permissions. diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te index dff18ce56..e8988843e 100644 --- a/vendor/vndservicemanager.te +++ b/vendor/vndservicemanager.te @@ -10,5 +10,8 @@ allow vndservicemanager { domain -coredomain -init }:binder transfer; allow vndservicemanager vndbinder_device:chr_file rw_file_perms; +# Read vndservice_contexts +allow vndservicemanager vndservice_contexts_file:file r_file_perms; + # Check SELinux permissions. selinux_check_access(vndservicemanager)