From 5b3494ebc3d9d957c00ea6040bde8549ad428a3a Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Thu, 25 May 2017 11:09:46 -0700
Subject: [PATCH] Update selinux policy for policyvers retrieval.

Test: pass
Bug: 62073522
Change-Id: I3d53d0d5ec701c87fb3d45080799f424f7ba3792
---
 private/app.te             | 1 -
 private/app_neverallows.te | 3 +++
 private/priv_app.te        | 3 +++
 public/recovery.te         | 3 +++
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/private/app.te b/private/app.te
index 1bda9f41c..0bc5fdd97 100644
--- a/private/app.te
+++ b/private/app.te
@@ -478,7 +478,6 @@ neverallow appdomain
 neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # SELinux is not an API for apps to use
-neverallow { appdomain -shell } selinuxfs:file no_rw_file_perms;
 neverallow { appdomain -shell } *:security { compute_av check_context };
 neverallow { appdomain -shell } *:netlink_selinux_socket *;
 
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 9c762a1e8..9277d4181 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -166,6 +166,9 @@ neverallow all_untrusted_apps {
   -hidl_token_hwservice # Designed for use by any domain
 }:hwservice_manager find;
 
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
 # Restrict *Binder access from apps to HAL domains. We can only do this on full
 # Treble devices where *Binder communications between apps and HALs are tightly
 # restricted.
diff --git a/private/priv_app.te b/private/priv_app.te
index 109c86990..9603180de 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -108,6 +108,9 @@ allow priv_app preloads_media_file:dir r_dir_perms;
 # Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
 allow priv_app keystore:keystore_key gen_unique_id;
 
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
 read_runtime_log_tags(priv_app)
 
 ###
diff --git a/public/recovery.te b/public/recovery.te
index 6e211ac0e..99d792cbe 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -75,6 +75,9 @@ recovery_only(`
   allow recovery functionfs:dir search;
   allow recovery functionfs:file rw_file_perms;
 
+  # Access to /sys/fs/selinux/policyvers for compatibility check
+  allow recovery selinuxfs:file r_file_perms;
+
   # Required to e.g. wipe userdata/cache.
   allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
-- 
GitLab