sepolicy: make exec_types in /vendor a subset of vendor_file_type

We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>

sepolicy: make exec_types in /vendor a subset of vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with a few domains that are defined in vendor policy and installed in /vendor. These files MUST be a subset of the global 'vendor_file_type' which is used to address *all files installed in /vendor* throughout the policy. Bug: 36463595 Test: Boot sailfish without any new denials Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41 Signed-off-by: Sandeep Patil <sspatil@google.com>
2ee66e7d · Sandeep Patil · c051300e · 2ee66e7d · 2ee66e7d · 2ee66e7d
Commit 2ee66e7d authored 7 years ago by Sandeep Patil
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
 # mediacodec - audio and video codecs live here
 type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;

 typeattribute mediacodec mlstrustedsubject;


--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
 type hal_audio_default, domain;
 hal_server_domain(hal_audio_default, hal_audio)

-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_audio_default)

 hal_client_domain(hal_audio_default, hal_allocator)

--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
 type hal_bluetooth_default, domain;
 hal_server_domain(hal_bluetooth_default, hal_bluetooth)

-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bluetooth_default)
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,5 +2,5 @@
 type hal_bootctl_default, domain;
 hal_server_domain(hal_bootctl_default, hal_bootctl)

-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_bootctl_default)
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
 type hal_camera_default, domain;
 hal_server_domain(hal_camera_default, hal_camera)

-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_camera_default)

 # TODO (b/36601397) move hal_camera's data file to

--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
 type hal_configstore_default, domain;
 hal_server_domain(hal_configstore_default, hal_configstore)

-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_configstore_default)
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
 type hal_contexthub_default, domain;
 hal_server_domain(hal_contexthub_default, hal_contexthub)

-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_contexthub_default)
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
 type hal_drm_default, domain;
 hal_server_domain(hal_drm_default, hal_drm)

-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_default)

 allow hal_drm_default mediacodec:fd use;

--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
 type hal_dumpstate_default, domain;
 hal_server_domain(hal_dumpstate_default, hal_dumpstate)

-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_dumpstate_default)
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
 type hal_fingerprint_default, domain;
 hal_server_domain(hal_fingerprint_default, hal_fingerprint)

-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_fingerprint_default)

 # TODO (b/36644492) move hal_fingerprint's data file to

--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
 type hal_gatekeeper_default, domain;
 hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)

-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gatekeeper_default);
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
 type hal_gnss_default, domain;
 hal_server_domain(hal_gnss_default, hal_gnss)

-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_gnss_default)

 # Read access to system files for HALs in

--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
 type hal_graphics_allocator_default, domain;
 hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)

-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_allocator_default)
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
 type hal_graphics_composer_default, domain;
 hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)

-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_graphics_composer_default)
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -2,5 +2,5 @@
 type hal_health_default, domain;
 hal_server_domain(hal_health_default, hal_health)

-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_health_default)
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
 type hal_ir_default, domain;
 hal_server_domain(hal_ir_default, hal_ir)

-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_ir_default)
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
 type hal_keymaster_default, domain;
 hal_server_domain(hal_keymaster_default, hal_keymaster)

-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_keymaster_default)
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
 type hal_light_default, domain;
 hal_server_domain(hal_light_default, hal_light)

-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_light_default)
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
 type hal_memtrack_default, domain;
 hal_server_domain(hal_memtrack_default, hal_memtrack)

-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_memtrack_default)
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
 type hal_nfc_default, domain;
 hal_server_domain(hal_nfc_default, hal_nfc)

-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_nfc_default)

 # TODO (b/36645109) Remove hal_nfc's access to the nfc app's