Update selinux policy for policyvers retrieval.

Test: pass Bug: 62073522 Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792

Update selinux policy for policyvers retrieval.
5b3494eb · Yifan Hong · 4b20ba9b · 5b3494eb · 5b3494eb · 5b3494eb
Commit 5b3494eb authored 7 years ago by Yifan Hong
--- a/private/app.te
+++ b/private/app.te
@@ -478,7 +478,6 @@ neverallow appdomain
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 # SELinux is not an API for apps to use
-neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
 neverallow { appdomain -shell } *:security { compute_av check_context };
 neverallow { appdomain -shell } *:netlink_selinux_socket *;

--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -166,6 +166,9 @@ neverallow all_untrusted_apps {
  -hidl_token_hwservice # Designed for use by any domain
 }:hwservice_manager find;
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
 # Treble devices where *Binder communications between apps and HALs are tightly
 # restricted.

--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -108,6 +108,9 @@ allow priv_app preloads_media_file:dir r_dir_perms;
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
 read_runtime_log_tags(priv_app)
 ###

--- a/public/recovery.te
+++ b/public/recovery.te
@@ -75,6 +75,9 @@ recovery_only(`
  allow recovery functionfs:dir search;
  allow recovery functionfs:file rw_file_perms;
+  # Access to /sys/fs/selinux/policyvers for compatibility check
+  allow recovery selinuxfs:file r_file_perms;
  # Required to e.g. wipe userdata/cache.
  allow recovery device:dir r_dir_perms;
  allow recovery block_device:dir r_dir_perms;