From 3639f57960811d6a41ca1968dea70a4315d5bbec Mon Sep 17 00:00:00 2001
From: Siarhei Vishniakou <svv@google.com>
Date: Mon, 8 Oct 2018 12:04:15 -0700
Subject: [PATCH] Allow system_server to read vendor_file

Input device configuration files .idc, .kl that are placed in /vendor
are currently not accessible.
Allow the read access here.

Bug: 112880217
Test: move .idc and .kl files from /system to /vendor, then observe
logcat. With this patch, avc denials disappear.

Change-Id: I72ad62b9adf415f787565adced73fd8aaff38832
---
 private/compat/28.0/28.0.ignore.cil | 3 +++
 private/file_contexts               | 5 +++++
 private/system_server.te            | 5 +++++
 public/file.te                      | 5 +++++
 4 files changed, 18 insertions(+)

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 3404dd5e6..ee5e3ce09 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -49,5 +49,8 @@
     timedetector_service
     timezonedetector_service
     uri_grants_service
+    vendor_idc_file
+    vendor_keychars_file
+    vendor_keylayout_file
     vrflinger_vsync_service
     watchdogd_tmpfs))
diff --git a/private/file_contexts b/private/file_contexts
index a70f61bcb..9046ee1c0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -349,6 +349,11 @@
 /(odm|vendor/odm)/overlay(/.*)?               u:object_r:vendor_overlay_file:s0
 /(odm|vendor/odm)/framework(/.*)?             u:object_r:vendor_framework_file:s0
 
+# Input configuration
+/(odm|vendor)/usr/keylayout(/.*)?.kl           u:object_r:vendor_keylayout_file:s0
+/(odm|vendor)/usr/keychars(/.*)?.kcm            u:object_r:vendor_keychars_file:s0
+/(odm|vendor)/usr/idc(/.*)?.idc                 u:object_r:vendor_idc_file:s0
+
 /oem(/.*)?              u:object_r:oemfs:s0
 
 # The precompiled monolithic sepolicy will be under /odm only when
diff --git a/private/system_server.te b/private/system_server.te
index e91641553..048e5b2b6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -352,6 +352,11 @@ allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
 allow system_server apk_tmp_file:dir create_dir_perms;
 allow system_server apk_tmp_file:file create_file_perms;
 
+# Access input configuration files in the /vendor directory
+r_dir_file(system_server, vendor_keylayout_file)
+r_dir_file(system_server, vendor_keychars_file)
+r_dir_file(system_server, vendor_idc_file)
+
 # Access /vendor/{app,framework,overlay}
 r_dir_file(system_server, vendor_app_file)
 r_dir_file(system_server, vendor_framework_file)
diff --git a/public/file.te b/public/file.te
index 48c2a693d..9bf910ee7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -171,6 +171,11 @@ type vendor_overlay_file, vendor_file_type, file_type;
 # apps. ABI stability of these libs is vendor's responsibility.
 type vendor_public_lib_file, vendor_file_type, file_type;
 
+# Input configuration
+type vendor_keylayout_file, vendor_file_type, file_type;
+type vendor_keychars_file, vendor_file_type, file_type;
+type vendor_idc_file, vendor_file_type, file_type;
+
 # /metadata partition itself
 type metadata_file, file_type;
 # Vold files within /metadata
-- 
GitLab