diff --git a/private/adbd.te b/private/adbd.te index 2b80281d71fe5d9405147ae2cbe226719cf36983..eb6ae3268c6988cafd2e713d8601f9a055b31513 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -102,6 +102,7 @@ allow adbd selinuxfs:file r_file_perms; allow adbd kernel:security read_policy; allow adbd service_contexts_file:file r_file_perms; allow adbd file_contexts_file:file r_file_perms; +allow adbd seapp_contexts_file:file r_file_perms; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; diff --git a/private/file_contexts b/private/file_contexts index 08deeafe5c92211aa05db6f20423dc0ff76d3876..35325f95dad7bc5cf5b1b11286bba9099b64b1f1 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -46,9 +46,9 @@ /plat_sepolicy\.cil u:object_r:rootfs:s0 /plat_property_contexts u:object_r:property_contexts_file:s0 /nonplat_property_contexts u:object_r:property_contexts_file:s0 -/seapp_contexts u:object_r:rootfs:s0 -/nonplat_seapp_contexts u:object_r:rootfs:s0 -/plat_seapp_contexts u:object_r:rootfs:s0 +/seapp_contexts u:object_r:seapp_contexts_file:s0 +/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0 +/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 /sepolicy u:object_r:rootfs:s0 /plat_service_contexts u:object_r:service_contexts_file:s0 /nonplat_service_contexts u:object_r:service_contexts_file:s0 @@ -252,6 +252,7 @@ /system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0 /system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0 /system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0 +/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0 ############################# # Vendor files @@ -260,6 +261,7 @@ /vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0 /vendor/etc/selinux/nonplat_service_contexts u:object_r:service_contexts_file:s0 /vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0 +/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0 ############################# # OEM and ODM files diff --git a/private/webview_zygote.te b/private/webview_zygote.te index b2a19519fc7ee44edb68e6b7322405c25a22739a..501581abf3b3f091bc31b30b5641f844b2cd2517 100644 --- a/private/webview_zygote.te +++ b/private/webview_zygote.te @@ -10,9 +10,6 @@ typeattribute webview_zygote mlstrustedsubject; # resulting process into webview_zygote domain. init_daemon_domain(webview_zygote) -# Access to system files for SELinux contexts. -allow webview_zygote rootfs:file r_file_perms; - # Allow reading/executing installed binaries to enable preloading the # installed WebView implementation. allow webview_zygote apk_data_file:dir r_dir_perms; @@ -46,6 +43,8 @@ allow webview_zygote system_server:process getpgid; # Interaction between the webview_zygote and its children. allow webview_zygote isolated_app:process setpgid; +# Get seapp_contexts +allow webview_zygote seapp_contexts_file:file r_file_perms; # Check validity of SELinux context before use. selinux_check_context(webview_zygote) # Check SELinux permissions. diff --git a/private/zygote.te b/private/zygote.te index e9ec6724ff53a5210f54865ed6d83a5d8655003b..15fd951952756e30159a4c76f0f329339ba39751 100644 --- a/private/zygote.te +++ b/private/zygote.te @@ -62,6 +62,8 @@ allow zygote self:capability sys_admin; allow zygote pmsg_device:chr_file getattr; allow zygote debugfs_trace_marker:file getattr; +# Get seapp_contexts +allow zygote seapp_contexts_file:file r_file_perms; # Check validity of SELinux context before use. selinux_check_context(zygote) # Check SELinux permissions. diff --git a/public/file.te b/public/file.te index e2eab2ea9d6a0b1ef56d919c7b87d0c2d273c0f1..b3cf59c45bd7ff3b23f33bc20a4eff0d821b936b 100644 --- a/public/file.te +++ b/public/file.te @@ -262,6 +262,9 @@ type file_contexts_file, file_type; # property_contexts file type property_contexts_file, file_type; +# seapp_contexts file +type seapp_contexts_file, file_type; + # service_contexts file type service_contexts_file, file_type; diff --git a/public/installd.te b/public/installd.te index 474ba9c35de94560ebc8ef1e26111e2130dd5ed8..a85edff9f0fb08099db00bd35b78b83480aca3b3 100644 --- a/public/installd.te +++ b/public/installd.te @@ -29,6 +29,8 @@ r_dir_file(installd, rootfs) r_dir_file(installd, system_file) # Get file context allow installd file_contexts_file:file r_file_perms; +# Get seapp_context +allow installd seapp_contexts_file:file r_file_perms; # Search /data/app-asec and stat files in it. allow installd asec_image_file:dir search;