seapp_context: explicitly label all seapp context files

am: 1e149967

Change-Id: Ie6fe25279ff73d4b200463bd07116a40a2272382

private/adbd.te

@@ -102,6 +102,7 @@ allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
 allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

private/file_contexts

@@ -46,9 +46,9 @@
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
 /plat_property_contexts  u:object_r:property_contexts_file:s0
 /nonplat_property_contexts  u:object_r:property_contexts_file:s0
-/seapp_contexts     u:object_r:rootfs:s0
-/nonplat_seapp_contexts     u:object_r:rootfs:s0
-/plat_seapp_contexts     u:object_r:rootfs:s0
+/seapp_contexts     u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts     u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /sepolicy           u:object_r:rootfs:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0
@@ -252,6 +252,7 @@
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts  u:object_r:seapp_contexts_file:s0
 
 #############################
 # Vendor files
@@ -260,6 +261,7 @@
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
 /vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts    u:object_r:seapp_contexts_file:s0
 
 #############################
 # OEM and ODM files

private/webview_zygote.te

@@ -10,9 +10,6 @@ typeattribute webview_zygote mlstrustedsubject;
 # resulting process into webview_zygote domain.
 init_daemon_domain(webview_zygote)
 
-# Access to system files for SELinux contexts.
-allow webview_zygote rootfs:file r_file_perms;
-
 # Allow reading/executing installed binaries to enable preloading the
 # installed WebView implementation.
 allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -46,6 +43,8 @@ allow webview_zygote system_server:process getpgid;
 # Interaction between the webview_zygote and its children.
 allow webview_zygote isolated_app:process setpgid;
 
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(webview_zygote)
 # Check SELinux permissions.

private/zygote.te

@@ -62,6 +62,8 @@ allow zygote self:capability sys_admin;
 allow zygote pmsg_device:chr_file getattr;
 allow zygote debugfs_trace_marker:file getattr;
 
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
 # Check validity of SELinux context before use.
 selinux_check_context(zygote)
 # Check SELinux permissions.

public/file.te

@@ -262,6 +262,9 @@ type file_contexts_file, file_type;
 # property_contexts file
 type property_contexts_file, file_type;
 
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
 # service_contexts file
 type service_contexts_file, file_type;
 

public/installd.te

@@ -29,6 +29,8 @@ r_dir_file(installd, rootfs)
 r_dir_file(installd, system_file)
 # Get file context
 allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;