From 6676c234fc6a634cdf5231a3e33b3edc075daa51 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Fri, 31 Mar 2017 17:29:53 -0700
Subject: [PATCH] Add target for vndservice_contexts.

So we can limit vndservicemanager access to
just vndservice_contexts.

Bug: 36052864
Test: servicemanager,vndservicemanager work
Change-Id: I7b132d4f616ba1edd0daf7be750d4b7174c4e188
---
 Android.mk                  | 31 +++++++++++++++++++++++++++++++
 private/file_contexts       |  2 ++
 public/file.te              |  3 +++
 public/servicemanager.te    |  2 ++
 vendor/vndservicemanager.te |  3 +++
 5 files changed, 41 insertions(+)

diff --git a/Android.mk b/Android.mk
index da58e53c9..b941bf370 100644
--- a/Android.mk
+++ b/Android.mk
@@ -1067,6 +1067,37 @@ nonplat_service_contexts.tmp :=
 ##################################
 include $(CLEAR_VARS)
 
+LOCAL_MODULE := vndservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+ifeq ($(PRODUCT_FULL_TREBLE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles)
+	@mkdir -p $(dir $@)
+	$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+	@mkdir -p $(dir $@)
+	sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+	$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+##################################
+include $(CLEAR_VARS)
+
 LOCAL_MODULE := plat_mac_permissions.xml
 LOCAL_MODULE_CLASS := ETC
 LOCAL_MODULE_TAGS := optional
diff --git a/private/file_contexts b/private/file_contexts
index 668714491..d8f69ce53 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -52,6 +52,7 @@
 /sepolicy           u:object_r:sepolicy_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /nonplat_service_contexts   u:object_r:service_contexts_file:s0
+/vndservice_contexts   u:object_r:vndservice_contexts_file:s0
 
 ##########################
 # Devices
@@ -270,6 +271,7 @@
 /vendor/etc/selinux/nonplat_sepolicy.cil       u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy        u:object_r:sepolicy_file:s0
 /vendor/etc/selinux/precompiled_sepolicy.plat.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts         u:object_r:vndservice_contexts_file:s0
 
 #############################
 # OEM and ODM files
diff --git a/public/file.te b/public/file.te
index d7a82bc6c..67375c408 100644
--- a/public/file.te
+++ b/public/file.te
@@ -274,6 +274,9 @@ type sepolicy_file, file_type;
 # service_contexts file
 type service_contexts_file, file_type;
 
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
 # Allow files to be created in their appropriate filesystems.
 allow fs_type self:filesystem associate;
 allow sysfs_type sysfs:filesystem associate;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index 7ad32fc6d..bba9c6eda 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,8 @@ allow servicemanager self:binder set_context_mgr;
 allow servicemanager { domain -init }:binder transfer;
 
 # Access to all (system and vendor) service_contexts
+# TODO(b/36866029) access to nonplat_service_contexts
+#                  should not be allowed on full treble devices
 allow servicemanager service_contexts_file:file r_file_perms;
 
 # Check SELinux permissions.
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index dff18ce56..e8988843e 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -10,5 +10,8 @@ allow vndservicemanager { domain -coredomain -init }:binder transfer;
 
 allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
 
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
 # Check SELinux permissions.
 selinux_check_access(vndservicemanager)
-- 
GitLab