Merge "Add target for vndservice_contexts." into oc-dev
am: c3a9e7df5f
Change-Id: Ifcb4f63b7111252ee3a0deb58e6471b06df58587
This commit is contained in:
commit
f89f35ecc9
5 changed files with 41 additions and 0 deletions
31
Android.mk
31
Android.mk
|
@ -1067,6 +1067,37 @@ nonplat_service_contexts.tmp :=
|
|||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := vndservice_contexts
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
ifeq ($(PRODUCT_FULL_TREBLE),true)
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
|
||||
else
|
||||
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
|
||||
endif
|
||||
|
||||
include $(BUILD_SYSTEM)/base_rules.mk
|
||||
|
||||
vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
|
||||
|
||||
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
|
||||
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
|
||||
$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
|
||||
$(vndservice_contexts.tmp): $(vnd_svcfiles)
|
||||
@mkdir -p $(dir $@)
|
||||
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
|
||||
|
||||
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
|
||||
$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
|
||||
@mkdir -p $(dir $@)
|
||||
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
|
||||
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
|
||||
|
||||
vnd_svcfiles :=
|
||||
vndservice_contexts.tmp :=
|
||||
##################################
|
||||
include $(CLEAR_VARS)
|
||||
|
||||
LOCAL_MODULE := plat_mac_permissions.xml
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
LOCAL_MODULE_TAGS := optional
|
||||
|
|
|
@ -52,6 +52,7 @@
|
|||
/sepolicy u:object_r:sepolicy_file:s0
|
||||
/plat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/nonplat_service_contexts u:object_r:service_contexts_file:s0
|
||||
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
##########################
|
||||
# Devices
|
||||
|
@ -271,6 +272,7 @@
|
|||
/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
|
||||
/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
|
||||
|
||||
#############################
|
||||
# OEM and ODM files
|
||||
|
|
|
@ -276,6 +276,9 @@ type sepolicy_file, file_type;
|
|||
# service_contexts file
|
||||
type service_contexts_file, file_type;
|
||||
|
||||
# vndservice_contexts file
|
||||
type vndservice_contexts_file, file_type;
|
||||
|
||||
# Allow files to be created in their appropriate filesystems.
|
||||
allow fs_type self:filesystem associate;
|
||||
allow sysfs_type sysfs:filesystem associate;
|
||||
|
|
|
@ -12,6 +12,8 @@ allow servicemanager self:binder set_context_mgr;
|
|||
allow servicemanager { domain -init }:binder transfer;
|
||||
|
||||
# Access to all (system and vendor) service_contexts
|
||||
# TODO(b/36866029) access to nonplat_service_contexts
|
||||
# should not be allowed on full treble devices
|
||||
allow servicemanager service_contexts_file:file r_file_perms;
|
||||
|
||||
# Check SELinux permissions.
|
||||
|
|
3
vendor/vndservicemanager.te
vendored
3
vendor/vndservicemanager.te
vendored
|
@ -10,5 +10,8 @@ allow vndservicemanager { domain -coredomain -init }:binder transfer;
|
|||
|
||||
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
|
||||
|
||||
# Read vndservice_contexts
|
||||
allow vndservicemanager vndservice_contexts_file:file r_file_perms;
|
||||
|
||||
# Check SELinux permissions.
|
||||
selinux_check_access(vndservicemanager)
|
||||
|
|
Loading…
Reference in a new issue