From 639a2b842c78197e153913efbf20ac4df1fe378d Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 28 Apr 2017 12:45:30 -0700
Subject: [PATCH] Add default label and mapping for vendor services

Adding the default label/mapping is important because:
1.  Lookups of services without an selinux label should generate
    a denial.
2.  In permissive mode, lookups of a service without a label should be
    be allowed, without the default label service manager disallows
    access.
3.  We can neverallow use of the default label.

Bug: 37762790
Test: Build and flash policy onto Marlin with unlabeled vendor services.
    Add/find of unlabeled vendor services generate a denial.

Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80
---
 public/domain.te           | 13 ++++---------
 public/vndservice.te       |  1 +
 vendor/vndservice_contexts |  1 +
 3 files changed, 6 insertions(+), 9 deletions(-)
 create mode 100644 public/vndservice.te
 create mode 100644 vendor/vndservice_contexts

diff --git a/public/domain.te b/public/domain.te
index 0c4343743..ef939c507 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -424,18 +424,13 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
 neverallow { domain -recovery } contextmount_type:dir_file_class_set
     { create write setattr relabelfrom relabelto append unlink link rename };
 
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as
 # system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
 neverallow * default_android_service:service_manager add;
-
-# Do not allow hwservice_manager add for default_android_hwservice.
-# Instead domains should use a more specific type such as
-# hal_audio_hwservice rather than the generic type.
-# New service_types are defined in hwservice.te and new mappings
-# from service name to service_type are defined in hwservice_contexts.
+neverallow * default_android_vndservice:service_manager { add find };
 neverallow * default_android_hwservice:hwservice_manager { add find };
 
 # Looking up the base class/interface of all HwBinder services is a bad idea.
diff --git a/public/vndservice.te b/public/vndservice.te
new file mode 100644
index 000000000..0d309bf71
--- /dev/null
+++ b/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts
new file mode 100644
index 000000000..4cca2fb65
--- /dev/null
+++ b/vendor/vndservice_contexts
@@ -0,0 +1 @@
+*                       u:object_r:default_android_vndservice:s0
-- 
GitLab