From 2ee66e7d14e3577f3f9c51b847de674df011b094 Mon Sep 17 00:00:00 2001
From: Sandeep Patil <sspatil@google.com>
Date: Mon, 10 Apr 2017 13:03:28 -0700
Subject: [PATCH] sepolicy: make exec_types in /vendor a subset of
vendor_file_type
We install all default hal implementations in /vendor/bin/hw along with
a few domains that are defined in vendor policy and installed in
/vendor. These files MUST be a subset of the global 'vendor_file_type'
which is used to address *all files installed in /vendor* throughout the
policy.
Bug: 36463595
Test: Boot sailfish without any new denials
Change-Id: I3d26778f9a26f9095f49d8ecc12f2ec9d2f4cb41
Signed-off-by: Sandeep Patil <sspatil@google.com>
---
public/mediacodec.te | 2 +-
vendor/hal_audio_default.te | 2 +-
vendor/hal_bluetooth_default.te | 2 +-
vendor/hal_bootctl_default.te | 2 +-
vendor/hal_camera_default.te | 2 +-
vendor/hal_configstore_default.te | 2 +-
vendor/hal_contexthub_default.te | 2 +-
vendor/hal_drm_default.te | 2 +-
vendor/hal_dumpstate_default.te | 2 +-
vendor/hal_fingerprint_default.te | 2 +-
vendor/hal_gatekeeper_default.te | 2 +-
vendor/hal_gnss_default.te | 2 +-
vendor/hal_graphics_allocator_default.te | 2 +-
vendor/hal_graphics_composer_default.te | 2 +-
vendor/hal_health_default.te | 2 +-
vendor/hal_ir_default.te | 2 +-
vendor/hal_keymaster_default.te | 2 +-
vendor/hal_light_default.te | 2 +-
vendor/hal_memtrack_default.te | 2 +-
vendor/hal_nfc_default.te | 2 +-
vendor/hal_power_default.te | 2 +-
vendor/hal_sensors_default.te | 2 +-
vendor/hal_thermal_default.te | 2 +-
vendor/hal_tv_input_default.te | 2 +-
vendor/hal_usb_default.te | 2 +-
vendor/hal_vibrator_default.te | 2 +-
vendor/hal_vr_default.te | 2 +-
vendor/hal_wifi_default.te | 2 +-
vendor/hal_wifi_supplicant_default.te | 2 +-
vendor/hostapd.te | 2 +-
vendor/rild.te | 2 +-
vendor/tee.te | 2 +-
vendor/vndservicemanager.te | 2 +-
33 files changed, 33 insertions(+), 33 deletions(-)
diff --git a/public/mediacodec.te b/public/mediacodec.te
index 721f624b5..b8cde809e 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -1,6 +1,6 @@
# mediacodec - audio and video codecs live here
type mediacodec, domain;
-type mediacodec_exec, exec_type, file_type;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
typeattribute mediacodec mlstrustedsubject;
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 79c0814c7..a10a6cf5b 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -1,7 +1,7 @@
type hal_audio_default, domain;
hal_server_domain(hal_audio_default, hal_audio)
-type hal_audio_default_exec, exec_type, file_type;
+type hal_audio_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_audio_default)
hal_client_domain(hal_audio_default, hal_allocator)
diff --git a/vendor/hal_bluetooth_default.te b/vendor/hal_bluetooth_default.te
index e32770dc8..01d60dbb8 100644
--- a/vendor/hal_bluetooth_default.te
+++ b/vendor/hal_bluetooth_default.te
@@ -1,5 +1,5 @@
type hal_bluetooth_default, domain;
hal_server_domain(hal_bluetooth_default, hal_bluetooth)
-type hal_bluetooth_default_exec, exec_type, file_type;
+type hal_bluetooth_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_default)
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 9986fb5c7..ca30e584c 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -2,5 +2,5 @@
type hal_bootctl_default, domain;
hal_server_domain(hal_bootctl_default, hal_bootctl)
-type hal_bootctl_default_exec, exec_type, file_type;
+type hal_bootctl_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bootctl_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 449f15915..60b6a5ced 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -1,7 +1,7 @@
type hal_camera_default, domain;
hal_server_domain(hal_camera_default, hal_camera)
-type hal_camera_default_exec, exec_type, file_type;
+type hal_camera_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_camera_default)
# TODO (b/36601397) move hal_camera's data file to
diff --git a/vendor/hal_configstore_default.te b/vendor/hal_configstore_default.te
index e8930ca8d..cc61a1620 100644
--- a/vendor/hal_configstore_default.te
+++ b/vendor/hal_configstore_default.te
@@ -1,5 +1,5 @@
type hal_configstore_default, domain;
hal_server_domain(hal_configstore_default, hal_configstore)
-type hal_configstore_default_exec, exec_type, file_type;
+type hal_configstore_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_configstore_default)
diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te
index 67dd53020..b29808dab 100644
--- a/vendor/hal_contexthub_default.te
+++ b/vendor/hal_contexthub_default.te
@@ -1,5 +1,5 @@
type hal_contexthub_default, domain;
hal_server_domain(hal_contexthub_default, hal_contexthub)
-type hal_contexthub_default_exec, exec_type, file_type;
+type hal_contexthub_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_contexthub_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index ad1762f92..3aeec069d 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -1,7 +1,7 @@
type hal_drm_default, domain;
hal_server_domain(hal_drm_default, hal_drm)
-type hal_drm_default_exec, exec_type, file_type;
+type hal_drm_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_default)
allow hal_drm_default mediacodec:fd use;
diff --git a/vendor/hal_dumpstate_default.te b/vendor/hal_dumpstate_default.te
index fa772e18d..6fbf40ff4 100644
--- a/vendor/hal_dumpstate_default.te
+++ b/vendor/hal_dumpstate_default.te
@@ -1,5 +1,5 @@
type hal_dumpstate_default, domain;
hal_server_domain(hal_dumpstate_default, hal_dumpstate)
-type hal_dumpstate_default_exec, exec_type, file_type;
+type hal_dumpstate_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dumpstate_default)
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index 5f5de7e70..322c1040e 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -1,7 +1,7 @@
type hal_fingerprint_default, domain;
hal_server_domain(hal_fingerprint_default, hal_fingerprint)
-type hal_fingerprint_default_exec, exec_type, file_type;
+type hal_fingerprint_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_default)
# TODO (b/36644492) move hal_fingerprint's data file to
diff --git a/vendor/hal_gatekeeper_default.te b/vendor/hal_gatekeeper_default.te
index d48af1650..a3654cc9f 100644
--- a/vendor/hal_gatekeeper_default.te
+++ b/vendor/hal_gatekeeper_default.te
@@ -1,5 +1,5 @@
type hal_gatekeeper_default, domain;
hal_server_domain(hal_gatekeeper_default, hal_gatekeeper)
-type hal_gatekeeper_default_exec, exec_type, file_type;
+type hal_gatekeeper_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gatekeeper_default);
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index 18da09080..4c4061700 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -1,7 +1,7 @@
type hal_gnss_default, domain;
hal_server_domain(hal_gnss_default, hal_gnss)
-type hal_gnss_default_exec, exec_type, file_type;
+type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
# Read access to system files for HALs in
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index f47a60477..5afa2b520 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -1,5 +1,5 @@
type hal_graphics_allocator_default, domain;
hal_server_domain(hal_graphics_allocator_default, hal_graphics_allocator)
-type hal_graphics_allocator_default_exec, exec_type, file_type;
+type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index b65b8fe14..47343d9ec 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -1,5 +1,5 @@
type hal_graphics_composer_default, domain;
hal_server_domain(hal_graphics_composer_default, hal_graphics_composer)
-type hal_graphics_composer_default_exec, exec_type, file_type;
+type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te
index 3add20bca..9b2b921f5 100644
--- a/vendor/hal_health_default.te
+++ b/vendor/hal_health_default.te
@@ -2,5 +2,5 @@
type hal_health_default, domain;
hal_server_domain(hal_health_default, hal_health)
-type hal_health_default_exec, exec_type, file_type;
+type hal_health_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_health_default)
diff --git a/vendor/hal_ir_default.te b/vendor/hal_ir_default.te
index e43bf076a..943aab08b 100644
--- a/vendor/hal_ir_default.te
+++ b/vendor/hal_ir_default.te
@@ -1,5 +1,5 @@
type hal_ir_default, domain;
hal_server_domain(hal_ir_default, hal_ir)
-type hal_ir_default_exec, exec_type, file_type;
+type hal_ir_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_ir_default)
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262ab..82a5a20b2 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -1,5 +1,5 @@
type hal_keymaster_default, domain;
hal_server_domain(hal_keymaster_default, hal_keymaster)
-type hal_keymaster_default_exec, exec_type, file_type;
+type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
diff --git a/vendor/hal_light_default.te b/vendor/hal_light_default.te
index 8c1bfb690..c7fa9a1f2 100644
--- a/vendor/hal_light_default.te
+++ b/vendor/hal_light_default.te
@@ -1,5 +1,5 @@
type hal_light_default, domain;
hal_server_domain(hal_light_default, hal_light)
-type hal_light_default_exec, exec_type, file_type;
+type hal_light_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_light_default)
diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te
index 0e3ba21a0..c547699db 100644
--- a/vendor/hal_memtrack_default.te
+++ b/vendor/hal_memtrack_default.te
@@ -1,5 +1,5 @@
type hal_memtrack_default, domain;
hal_server_domain(hal_memtrack_default, hal_memtrack)
-type hal_memtrack_default_exec, exec_type, file_type;
+type hal_memtrack_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_memtrack_default)
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index a906d977b..2f1c09255 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -1,7 +1,7 @@
type hal_nfc_default, domain;
hal_server_domain(hal_nfc_default, hal_nfc)
-type hal_nfc_default_exec, exec_type, file_type;
+type hal_nfc_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_nfc_default)
# TODO (b/36645109) Remove hal_nfc's access to the nfc app's
diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te
index 47065ea45..3be4f227e 100644
--- a/vendor/hal_power_default.te
+++ b/vendor/hal_power_default.te
@@ -1,5 +1,5 @@
type hal_power_default, domain;
hal_server_domain(hal_power_default, hal_power)
-type hal_power_default_exec, exec_type, file_type;
+type hal_power_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_power_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index b4c9a8632..5ba4aaba2 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -1,5 +1,5 @@
type hal_sensors_default, domain;
hal_server_domain(hal_sensors_default, hal_sensors)
-type hal_sensors_default_exec, exec_type, file_type;
+type hal_sensors_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_sensors_default)
diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te
index 9a777e062..73b2efff1 100644
--- a/vendor/hal_thermal_default.te
+++ b/vendor/hal_thermal_default.te
@@ -1,5 +1,5 @@
type hal_thermal_default, domain;
hal_server_domain(hal_thermal_default, hal_thermal)
-type hal_thermal_default_exec, exec_type, file_type;
+type hal_thermal_default_exec, exec_type, vendor_file_type, vendor_file_type, file_type;
init_daemon_domain(hal_thermal_default)
diff --git a/vendor/hal_tv_input_default.te b/vendor/hal_tv_input_default.te
index a97c1717b..12d974387 100644
--- a/vendor/hal_tv_input_default.te
+++ b/vendor/hal_tv_input_default.te
@@ -1,6 +1,6 @@
type hal_tv_input_default, domain;
hal_server_domain(hal_tv_input_default, hal_tv_input)
-type hal_tv_input_default_exec, exec_type, file_type;
+type hal_tv_input_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_tv_input_default)
diff --git a/vendor/hal_usb_default.te b/vendor/hal_usb_default.te
index cc28a65f3..5642a2aef 100644
--- a/vendor/hal_usb_default.te
+++ b/vendor/hal_usb_default.te
@@ -1,5 +1,5 @@
type hal_usb_default, domain;
hal_server_domain(hal_usb_default, hal_usb)
-type hal_usb_default_exec, exec_type, file_type;
+type hal_usb_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_usb_default)
diff --git a/vendor/hal_vibrator_default.te b/vendor/hal_vibrator_default.te
index 8bc8a724c..6c10d8a1d 100644
--- a/vendor/hal_vibrator_default.te
+++ b/vendor/hal_vibrator_default.te
@@ -1,5 +1,5 @@
type hal_vibrator_default, domain;
hal_server_domain(hal_vibrator_default, hal_vibrator)
-type hal_vibrator_default_exec, exec_type, file_type;
+type hal_vibrator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vibrator_default)
diff --git a/vendor/hal_vr_default.te b/vendor/hal_vr_default.te
index 7475524a1..6a60192b1 100644
--- a/vendor/hal_vr_default.te
+++ b/vendor/hal_vr_default.te
@@ -1,5 +1,5 @@
type hal_vr_default, domain;
hal_server_domain(hal_vr_default, hal_vr)
-type hal_vr_default_exec, exec_type, file_type;
+type hal_vr_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_vr_default)
diff --git a/vendor/hal_wifi_default.te b/vendor/hal_wifi_default.te
index 7c3949e66..75a98429d 100644
--- a/vendor/hal_wifi_default.te
+++ b/vendor/hal_wifi_default.te
@@ -1,5 +1,5 @@
type hal_wifi_default, domain;
hal_server_domain(hal_wifi_default, hal_wifi)
-type hal_wifi_default_exec, exec_type, file_type;
+type hal_wifi_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_default)
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 82bccdbdf..c2bdc738b 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -1,7 +1,7 @@
# wpa supplicant or equivalent
type hal_wifi_supplicant_default, domain;
hal_server_domain(hal_wifi_supplicant_default, hal_wifi_supplicant)
-type hal_wifi_supplicant_default_exec, exec_type, file_type;
+type hal_wifi_supplicant_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_wifi_supplicant_default)
net_domain(hal_wifi_supplicant_default)
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
index e7d83082e..d20581e0c 100644
--- a/vendor/hostapd.te
+++ b/vendor/hostapd.te
@@ -1,6 +1,6 @@
# userspace wifi access points
type hostapd, domain;
-type hostapd_exec, exec_type, file_type;
+type hostapd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hostapd)
diff --git a/vendor/rild.te b/vendor/rild.te
index 69c5c3983..ea9109bf9 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,6 +1,6 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-type rild_exec, exec_type, file_type;
+type rild_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rild)
# TODO(b/36613472), TODO(b/36718031): Remove this once rild no longer
diff --git a/vendor/tee.te b/vendor/tee.te
index ad43b24a0..e5e8b2d2d 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -3,7 +3,7 @@
#
typeattribute tee domain_deprecated;
-type tee_exec, exec_type, file_type;
+type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
allow tee self:capability { dac_override };
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index e8988843e..f956af82b 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -1,5 +1,5 @@
# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager_exec, exec_type, file_type;
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vndservicemanager);
--
GitLab