From d3edd6b577c1e40834af69420bd77b60c359ef8e Mon Sep 17 00:00:00 2001
From: Alex Light <allight@google.com>
Date: Wed, 22 Jun 2016 15:47:09 -0700
Subject: [PATCH] Allow cppreopts to work with selinux

Bug: 29278988
Change-Id: I199572377a6b5c33116c718a545159ddcf50df30
---
 cppreopts.te        | 28 ++++++++++++++++++++++++++++
 domain.te           |  2 ++
 file_contexts       |  2 ++
 init.te             |  2 +-
 preopt2cachename.te | 13 +++++++++++++
 property.te         |  1 +
 property_contexts   |  1 +
 system_server.te    |  3 +++
 8 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 cppreopts.te
 create mode 100644 preopt2cachename.te

diff --git a/cppreopts.te b/cppreopts.te
new file mode 100644
index 000000000..66df7eea4
--- /dev/null
+++ b/cppreopts.te
@@ -0,0 +1,28 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/domain.te b/domain.te
index 1ac33f1a4..471dc5348 100644
--- a/domain.te
+++ b/domain.te
@@ -378,6 +378,7 @@ neverallow {
   -zygote
   -installd
   -postinstall_dexopt
+  -cppreopts
   -dex2oat
 } dalvikcache_data_file:file no_w_file_perms;
 
@@ -386,6 +387,7 @@ neverallow {
   -init
   -installd
   -postinstall_dexopt
+  -cppreopts
   -dex2oat
   -zygote
 } dalvikcache_data_file:dir no_w_dir_perms;
diff --git a/file_contexts b/file_contexts
index 33b840b63..3f1468eb8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -203,6 +203,8 @@
 /system/bin/update_verifier u:object_r:update_verifier_exec:s0
 /system/bin/logwrapper  u:object_r:system_file:s0
 /system/bin/vdc         u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh   u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
 /system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
 /system/bin/dex2oat     u:object_r:dex2oat_exec:s0
 # patchoat executable has (essentially) the same requirements as dex2oat.
diff --git a/init.te b/init.te
index 6197c3908..9bc78d173 100644
--- a/init.te
+++ b/init.te
@@ -44,7 +44,7 @@ allow init self:capability sys_admin;
 
 # Create and mount on directories in /.
 allow init rootfs:dir create_dir_perms;
-allow init { rootfs cache_file cgroup storage_file system_data_file system_file }:dir mounton;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file postinstall_mnt_dir }:dir mounton;
 
 # Mount on /dev/usb-ffs/adb.
 allow init device:dir mounton;
diff --git a/preopt2cachename.te b/preopt2cachename.te
new file mode 100644
index 000000000..49df64725
--- /dev/null
+++ b/preopt2cachename.te
@@ -0,0 +1,13 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net:file r_file_perms;
diff --git a/property.te b/property.te
index 83208cfe9..64dbdef76 100644
--- a/property.te
+++ b/property.te
@@ -31,6 +31,7 @@ type security_prop, property_type, core_property_type;
 type bluetooth_prop, property_type, core_property_type;
 type pan_result_prop, property_type, core_property_type;
 type powerctl_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
 type nfc_prop, property_type, core_property_type;
 type dalvik_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index dacf2cb22..1ab1f1073 100644
--- a/property_contexts
+++ b/property_contexts
@@ -21,6 +21,7 @@ ro.runtime.             u:object_r:system_prop:s0
 hw.                     u:object_r:system_prop:s0
 ro.hw.                  u:object_r:system_prop:s0
 sys.                    u:object_r:system_prop:s0
+sys.cppreopt            u:object_r:cppreopt_prop:s0
 sys.powerctl            u:object_r:powerctl_prop:s0
 sys.usb.ffs.            u:object_r:ffs_prop:s0
 service.                u:object_r:system_prop:s0
diff --git a/system_server.te b/system_server.te
index e74f58ceb..fcaccdb49 100644
--- a/system_server.te
+++ b/system_server.te
@@ -347,6 +347,9 @@ userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
 set_prop(system_server, ctl_default_prop)
 set_prop(system_server, ctl_bugreport_prop)
 
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
 # Create a socket for receiving info from wpa.
 type_transition system_server wifi_data_file:sock_file system_wpa_socket;
 type_transition system_server wpa_socket:sock_file system_wpa_socket;
-- 
GitLab