service_contexts: label service_contexts explicitly

am: 939d16b5 Change-Id: I1c351ee36100730bf98a3fe820d1f51f7b672ba5

service_contexts: label service_contexts explicitly
5a6ab596 · Sandeep Patil · android-build-merger · b81943b6 · 939d16b5 · 5a6ab596
Commit 5a6ab596 authored 8 years ago by Sandeep Patil Committed by android-build-merger 8 years ago
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -100,6 +100,7 @@ allow adbd system_file:file r_file_perms;
 allow adbd selinuxfs:dir r_dir_perms;
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;

 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;

--- a/private/file_contexts
+++ b/private/file_contexts
@@ -50,8 +50,8 @@
 /nonplat_seapp_contexts     u:object_r:rootfs:s0
 /plat_seapp_contexts     u:object_r:rootfs:s0
 /sepolicy           u:object_r:rootfs:s0
-/plat_service_contexts   u:object_r:rootfs:s0
-/nonplat_service_contexts   u:object_r:rootfs:s0
+/plat_service_contexts   u:object_r:service_contexts_file:s0
+/nonplat_service_contexts   u:object_r:service_contexts_file:s0

 ##########################
 # Devices
@@ -250,12 +250,14 @@
 /system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0

 #############################
 # Vendor files
 #
 /vendor(/.*)?		u:object_r:system_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0

 #############################
 # OEM and ODM files

--- a/public/file.te
+++ b/public/file.te
@@ -259,6 +259,9 @@ type gps_control, file_type;
 # property_contexts file
 type property_contexts_file, file_type;

+# service_contexts file
+type service_contexts_file, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;

--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -11,7 +11,8 @@ type servicemanager_exec, exec_type, file_type;
 allow servicemanager self:binder set_context_mgr;
 allow servicemanager { domain -init }:binder transfer;

-r_dir_file(servicemanager, rootfs)
+# Access to all (system and vendor) service_contexts
+allow servicemanager service_contexts_file:file r_file_perms;

 # Check SELinux permissions.
 selinux_check_access(servicemanager)