From 54a420013492504ee277d4ebf850724923a031b3 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 24 Mar 2017 10:22:14 -0700
Subject: [PATCH] prop_context: correctly label all property_context files

split property context file in vendor and sytem were left untouched by
the recent changes. This was working accidentally because they were
still accessible to all domains as 'system_file'.

Bug: 36002573
Test: Boot sailfish to observe no new denials.
Test: 'adb sideload' OTA on sailfish successfully

Change-Id: I5bec058b59db83d2a431e9f7e91c5a09af7d2942
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/file_contexts | 6 ++++--
 public/domain.te      | 2 +-
 public/file.te        | 2 +-
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/private/file_contexts b/private/file_contexts
index 1db5210d9..5c0bc67c6 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -44,8 +44,8 @@
 /mapping_sepolicy\.cil   u:object_r:rootfs:s0
 /nonplat_sepolicy\.cil   u:object_r:rootfs:s0
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
-/plat_property_contexts  u:object_r:property_contexts:s0
-/nonplat_property_contexts  u:object_r:property_contexts:s0
+/plat_property_contexts  u:object_r:property_contexts_file:s0
+/nonplat_property_contexts  u:object_r:property_contexts_file:s0
 /seapp_contexts     u:object_r:rootfs:s0
 /nonplat_seapp_contexts     u:object_r:rootfs:s0
 /plat_seapp_contexts     u:object_r:rootfs:s0
@@ -249,11 +249,13 @@
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 
 #############################
 # Vendor files
 #
 /vendor(/.*)?		u:object_r:system_file:s0
+/vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 
 #############################
 # OEM and ODM files
diff --git a/public/domain.te b/public/domain.te
index 3ed451a15..2febffb57 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -89,7 +89,7 @@ get_prop(domain, core_property_type)
 # messages to logd.
 get_prop(domain, log_property_type)
 dontaudit domain property_type:file audit_access;
-allow domain property_contexts:file r_file_perms;
+allow domain property_contexts_file:file r_file_perms;
 
 allow domain init:key search;
 allow domain vold:key search;
diff --git a/public/file.te b/public/file.te
index 21d574468..1ef7a355c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -257,7 +257,7 @@ type sap_uim_socket, file_type;
 type gps_control, file_type;
 
 # property_contexts file
-type property_contexts, file_type;
+type property_contexts_file, file_type;
 
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
-- 
GitLab