From c9cf7361c1f5000834f125d287df8d2708b4d634 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Fri, 24 Mar 2017 15:02:13 -0700
Subject: [PATCH] file_context: explicitly label all file context files

file_context files need to be explicitly labeled as they are now split
across system and vendor and won't have the generic world readable
'system_file' label.

Bug: 36002414
Test: no new 'file_context' denials at boot complete on sailfish
Test: successfully booted into recovery without denials and sideloaded
OTA update.
Test: ./cts-tradefed run singleCommand cts --skip-device-info \
       --skip-preconditions --skip-connectivity-check --abi \
       arm64-v8a --module CtsSecurityHostTestCases -t \
       android.security.cts.SELinuxHostTest#testAospFileContexts

Change-Id: I603157e9fa7d1de3679d41e343de397631666273
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
 private/adbd.te          | 1 +
 private/file_contexts    | 8 +++++---
 private/system_server.te | 2 ++
 public/file.te           | 3 +++
 public/init.te           | 3 +++
 public/installd.te       | 2 ++
 public/kernel.te         | 3 +++
 public/recovery.te       | 2 ++
 public/ueventd.te        | 3 +++
 public/vold.te           | 3 +++
 10 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/private/adbd.te b/private/adbd.te
index 80c6a016f..2b80281d7 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -101,6 +101,7 @@ allow adbd selinuxfs:dir r_dir_perms;
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;
 allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
 
 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
diff --git a/private/file_contexts b/private/file_contexts
index 90df77cc8..08deeafe5 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -38,9 +38,9 @@
 /sdcard             u:object_r:rootfs:s0
 
 # SELinux policy files
-/file_contexts\.bin u:object_r:rootfs:s0
-/nonplat_file_contexts u:object_r:rootfs:s0
-/plat_file_contexts u:object_r:rootfs:s0
+/file_contexts\.bin     u:object_r:file_contexts_file:s0
+/nonplat_file_contexts  u:object_r:file_contexts_file:s0
+/plat_file_contexts     u:object_r:file_contexts_file:s0
 /mapping_sepolicy\.cil   u:object_r:rootfs:s0
 /nonplat_sepolicy\.cil   u:object_r:rootfs:s0
 /plat_sepolicy\.cil      u:object_r:rootfs:s0
@@ -251,6 +251,7 @@
 /system/bin/hw/android\.hidl\.allocator@1\.0-service          u:object_r:hal_allocator_default_exec:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_file_contexts  u:object_r:file_contexts_file:s0
 
 #############################
 # Vendor files
@@ -258,6 +259,7 @@
 /vendor(/.*)?		u:object_r:system_file:s0
 /vendor/etc/selinux/nonplat_property_contexts   u:object_r:property_contexts_file:s0
 /vendor/etc/selinux/nonplat_service_contexts    u:object_r:service_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts   u:object_r:file_contexts_file:s0
 
 #############################
 # OEM and ODM files
diff --git a/private/system_server.te b/private/system_server.te
index 5aae022bd..698ae8ead 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -230,6 +230,8 @@ allow system_server mediaserver:udp_socket rw_socket_perms;
 allow system_server mediadrmserver:tcp_socket rw_socket_perms;
 allow system_server mediadrmserver:udp_socket rw_socket_perms;
 
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
 # Check SELinux permissions.
 selinux_check_access(system_server)
 
diff --git a/public/file.te b/public/file.te
index 72af4855c..385c88b68 100644
--- a/public/file.te
+++ b/public/file.te
@@ -256,6 +256,9 @@ type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
 
+# file_contexts files
+type file_contexts_file, file_type;
+
 # property_contexts file
 type property_contexts_file, file_type;
 
diff --git a/public/init.te b/public/init.te
index 4b080464b..4aa1349e1 100644
--- a/public/init.te
+++ b/public/init.te
@@ -299,6 +299,9 @@ r_dir_file(init, domain)
 # setsockcreate is for labeling local/unix domain sockets.
 allow init self:process { setexec setfscreate setsockcreate };
 
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
 # Perform SELinux access checks on setting properties.
 selinux_check_access(init)
 
diff --git a/public/installd.te b/public/installd.te
index 0a5b8a380..474ba9c35 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -27,6 +27,8 @@ selinux_check_context(installd)
 r_dir_file(installd, rootfs)
 # Scan through APKs in /system/app and /system/priv-app
 r_dir_file(installd, system_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
 
 # Search /data/app-asec and stat files in it.
 allow installd asec_image_file:dir search;
diff --git a/public/kernel.te b/public/kernel.te
index a93c8e908..9537c0dfa 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -11,6 +11,9 @@ r_dir_file(kernel, proc)
 allow kernel selinuxfs:dir r_dir_perms;
 allow kernel selinuxfs:file r_file_perms;
 
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
 # Allow init relabel itself.
 allow kernel rootfs:file relabelfrom;
 allow kernel init_exec:file relabelto;
diff --git a/public/recovery.te b/public/recovery.te
index 1ec19c5ad..d6aef1c58 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -37,6 +37,8 @@ recovery_only(`
   # currently loaded policy. Allow it.
   allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
   allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+  # Get file contexts
+  allow recovery file_contexts_file:file r_file_perms;
 
   # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
   # support to OTAs. However, that code has a bug. When an update occurs,
diff --git a/public/ueventd.te b/public/ueventd.te
index b0706c895..512b019d4 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -29,6 +29,9 @@ allow ueventd efs_file:file r_file_perms;
 # Get SELinux enforcing status.
 r_dir_file(ueventd, selinuxfs)
 
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
 # Use setfscreatecon() to label /dev directories and files.
 allow ueventd self:process setfscreate;
 
diff --git a/public/vold.te b/public/vold.te
index f4a391693..89e2c2471 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -19,6 +19,9 @@ allow vold sysfs_zram_uevent:file w_file_perms;
 r_dir_file(vold, rootfs)
 allow vold proc_meminfo:file r_file_perms;
 
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;
 
-- 
GitLab