From 1e149967a241ef8898b790682bec2307b1ba7dbb Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Mon, 27 Mar 2017 10:57:07 -0700
Subject: [PATCH] seapp_context: explicitly label all seapp context files

seapp_context files need to be explicitly labeled as they are now split
cross system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'seapp_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
      OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
      --skip-preconditions --skip-connectivity-check --abi \
      arm64-v8a --module CtsSecurityHostTestCases -t \
      android.security.cts.SELinuxHostTest#testAospSeappContexts
Test: Launch 'chrome' and succesfully load a website.
Test: Launch Camera and take a picture.
Test: Launch Camera and record a video, succesfully playback recorded
      video

Change-Id: I19b3e50c6a7c292713d3e56ef0448acf6e4270f7
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/adbd.te           | 1 +
 private/file_contexts     | 8 +++++---
 private/webview_zygote.te | 5 ++---
 private/zygote.te         | 2 ++
 public/file.te            | 3 +++
 public/installd.te        | 2 ++
 6 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/private/adbd.te b/private/adbd.te
index 2b80281d7..eb6ae3268 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -102,6 +102,7 @@ allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
 allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 08deeafe5..35325f95d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -46,9 +46,9 @@
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
-/seapp_contexts     u:object_r:rootfs:s0
-/nonplat_seapp_contexts     u:object_r:rootfs:s0
-/plat_seapp_contexts     u:object_r:rootfs:s0
+/seapp_contexts     u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /sepolicy           u:object_r:rootfs:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0
@@ -252,6 +252,7 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 
 #############################
 # Vendor files
@@ -260,6 +261,7 @@
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 
 #############################
 # OEM and ODM files
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index b2a19519f..501581abf 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,9 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # resulting process into webview_zygote domain.
 init_daemon_domain(webview_zygote)
 
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
 # Allow reading/executing installed binaries to enable preloading the
 # installed WebView implementation.
 allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
 
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(webview_zygote)
 # Check SELinux permissions.
diff --git a/private/zygote.te b/private/zygote.te
index e9ec6724f..15fd95195 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -62,6 +62,8 @@ allow zygote self:capability sys_admin;
 allow zygote pmsg_device:chr_file getattr;
 allow zygote debugfs_trace_marker:file getattr;
 
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(zygote)
 # Check SELinux permissions.
diff --git a/public/file.te b/public/file.te
index 385c88b68..27937f4ec 100644
--- a/public/file.te
+++ b/public/file.te
@@ -262,6 +262,9 @@ type file_contexts_file, file_type;
 # property_contexts file
 type property_contexts_file, file_type;
 
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
 # service_contexts file
 type service_contexts_file, file_type;
 
diff --git a/public/installd.te b/public/installd.te
index 474ba9c35..a85edff9f 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -29,6 +29,8 @@ r_dir_file(installd, rootfs)
 r_dir_file(installd, system_file)
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
-- 
GitLab