From a4768fa8b5f995414eb7e24ea2dac5507a93f537 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 7 Apr 2017 21:16:19 +0900
Subject: [PATCH] sepolicy: allow access to vndk-stable libs

Vndk-stable libs are system libs that are used by same process HALs.
Since same process HALs can be loaded to any process, so are vndk-stable
libs.

Bug: 37138502
Test: none, because the directory is currently empty and thus this is
no-op. sailfish builds and boots.

Change-Id: I67a2c8c2e4c3517aa30b4a97dc80dc2800e47b5a
---
 private/file_contexts | 2 ++
 public/domain.te      | 5 +++++
 public/file.te        | 2 ++
 3 files changed, 9 insertions(+)

diff --git a/private/file_contexts b/private/file_contexts
index 83792ed60..f6e8e6bfe 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -266,6 +266,8 @@
 
 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0
 
+/(vendor|system/vendor)/lib(64)?/vndk-stable(/.*)? u:object_r:vndk_stable_file:s0
+
 # TODO: b/36790901 move this to /vendor/etc
 /(vendor|system/vendor)/manifest.xml           u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/app(/.*)?              u:object_r:vendor_app_file:s0
diff --git a/public/domain.te b/public/domain.te
index f16d2771e..1fb648bbe 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -119,6 +119,11 @@ allow domain vendor_hal_file:dir r_dir_perms;
 allow domain same_process_hal_file:dir r_dir_perms;
 allow domain same_process_hal_file:file { execute read open getattr };
 
+# Any process can load vndk-stable libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_stable_file:dir r_dir_perms;
+allow domain vndk_stable_file:file { execute read open getattr };
+
 # All domains get access to /vendor/etc
 allow domain vendor_configs_file:dir r_dir_perms;
 allow domain vendor_configs_file:file { read open getattr };
diff --git a/public/file.te b/public/file.te
index 6468d16af..2d02e8699 100644
--- a/public/file.te
+++ b/public/file.te
@@ -94,6 +94,8 @@ type vendor_configs_file, vendor_file_type, file_type;
 # Default type for all *same process* HALs.
 # e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
 type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-stable libs. /vendor/lib/vndk-stable
+type vndk_stable_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/framework
 type vendor_framework_file, vendor_file_type, file_type;
 # Default type for everything in /vendor/overlay
-- 
GitLab