Add default label and mapping for vendor services

Adding the default label/mapping is important because: 1. Lookups of services without an selinux label should generate a denial. 2. In permissive mode, lookups of a service without a label should be be allowed, without the default label service manager disallows access. 3. We can neverallow use of the default label. Bug: 37762790 Test: Build and flash policy onto Marlin with unlabeled vendor services. Add/find of unlabeled vendor services generate a denial. Change-Id: I66531deedc3f9b79616f5d0681c87ed66aca5b80

Add default label and mapping for vendor services
639a2b84 · Jeff Vander Stoep · 8fed11ad · 639a2b84 · 639a2b84 · 639a2b84
Commit 639a2b84 authored 7 years ago by Jeff Vander Stoep
--- a/public/domain.te
+++ b/public/domain.te
@@ -424,18 +424,13 @@ neverallow * {fs_type -contextmount_type}:filesystem relabelto;
 neverallow { domain -recovery } contextmount_type:dir_file_class_set
    { create write setattr relabelfrom relabelto append unlink link rename };
-# Do not allow service_manager add for default_android_service.
+# Do not allow service_manager add for default service labels.
 # Instead domains should use a more specific type such as
 # system_app_service rather than the generic type.
-# New service_types are defined in service.te and new mappings
+# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in service_contexts.
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
 neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
-# Do not allow hwservice_manager add for default_android_hwservice.
-# Instead domains should use a more specific type such as
-# hal_audio_hwservice rather than the generic type.
-# New service_types are defined in hwservice.te and new mappings
-# from service name to service_type are defined in hwservice_contexts.
 neverallow * default_android_hwservice:hwservice_manager { add find };
 # Looking up the base class/interface of all HwBinder services is a bad idea.

--- a/public/vndservice.te
+++ b/public/vndservice.te
+type default_android_vndservice, vndservice_manager_type;
--- a/vendor/vndservice_contexts
+++ b/vendor/vndservice_contexts
+*                       u:object_r:default_android_vndservice:s0